KR20050061544A - Cryptography using finite fields of odd characteristic on binary hardware - Google Patents

Abstract

A cryptographic method is described. The method comprises storing binary data representing at least a portion of a field element of an odd-characteristic finite field GF(pk) in a register, p being an odd prime number, the field element comprising k coefficients in accordance with a polynomial-basis representation, the binary data comprising plural groups of data bits, wherein each group of data bits represents an associated one of the k coefficients and processing the binary data in accordance with a cryptographic algorithm such that the plural groups of data bits are processed in parallel. An apparatus comprising a memory and a processing unit coupled to the memory to carry out the method is also described.

Description

CRYPTOGRAPHY USING FINITE FIELDS OF ODD CHARACTERISTIC ON BINARY HARDWARE}

The present invention is U.S. Serial No. entitled "Efficient arithmetic in finite fields of odd characteristic on binary hardware", of the invention of the patent application. 10 / 271,730 (Attroney Docket No. 040000-793), and U.S. Serial No., entitled "Error correction using finite fields of odd characteristic on binary hardware", of the invention of the patent application. 10 / 271,945 (Attorney Docket No. 040001-178), all of which are hereby incorporated by reference in their entirety.

The present invention relates to a method and apparatus for efficiently performing calculations in a finite field of odd prime characteristic on binary hardware. In particular, the present invention is useful for performing calculations in cryptography and error correction, but is not limited to such use.

Basic form of finite field

Finite fields (also known as Galois fields) are finite algebraic structures that handle two well-defined operations: add and multiply. As described by R. Lidl and H. Niederriter in “ Introduction to Finite Field and Their Applications , Cambridge University Press, Cambridge, Revised ed., 1994.” N is the power of prime number. only, i.e. only some few p = 2, 3, 5, one for .. N = p ^n, there is a finite field with N elements. this field will only reach the same type (isomorphism) typically GF ( p ⁿ ) For prime numbers p, the ground field GP (p) is simply an integer in the add and multiply modulo p. In general, F is a q = p ^k element. If the field of (i.e., F = GF (p ^k )), the order of the extended field l can be defined, whereby F (t) / (f (t)), where f (t) is the order It is a polynomial of l and is a contract for F. This extended field is also called GF (p ^{l k} ), which gives (the only) finite field of q ^l elements, that is, it is p ^lk = p ⁿ elements. The number p is called the characteristic of the field The well-known fact that two equally sized fields are homogeneous does not necessarily mean that the mapping between fields is trivial, but such mapping The structure of is not essential to the present invention and, in some cases, is within the comprehension of one of ordinary skill in the art and is discussed in a textbook such as “ Introduction to Finite Fields and Their Applications ” above. .

There are two main ways of representing finite fields. One representation is well known to those of ordinary skill in the art and is a normal basis representation, as detailed above in “ Introduction to Finite Fields and Their Applications. ” The main advantage is that it is easy to multiply elements by themselves, that is, squaring-type operations, which are not discussed further here. Patent 4,587,627 (Computational method and apparatus for finite field arithmetic), U.S. Patent 4,567,600 (Method and apparatus for maintaining the privacy of digital messages conveyed by pulbic transmission) and U.S. Patent 5,854,759 (Method and apparatus for efficient finite field basis conversion, the entire contents of each of which are incorporated herein by reference.

Another notation is known as polynomial basis representation. In this notation, the field element of GF (p ^k ) can be thought of as a polynomial of order k-1, whose coefficient is the field element of ground field GF (p), that is, an integer in the set (0, ..., p-1). Can be. Therefore, the typical element, γ can be expressed as follows for any integer γ _i in the field.

(One)

Here, 0 ≦ γ _i ≦ p-1, t = is a formal variable. The field element γ can also be viewed as a _k- dimensional vector (γ _k-1 ,..., Γ ₁ , γ ₀ ), and the polynomial basis notation mentioned here is planned to include this view. Another form of polynomial basis notation is to select a polynomial h (t) that is irreducible for orders k and GF (p), used for multiplication of field elements. This will be discussed in more detail below. Since any two fields of the same size are homogeneous, it does not matter that the contract h (t) is selected. From the system's point of view, h (t) is a system parameter that agrees on a particular application.

As described above, it can be expressed as an extension field F [t] / (f (t)) or GF (p ^{l k} ) of order l with respect to field F = GF (p ^k ). The elements of the extended field can be considered as polynomials of degree l −1, whose coefficients are elements of GF (p ^k ). In other words, the elements of an extended field can be viewed as polynomials with other polynomials as field coefficients. The element γ of the extended field is as follows.

(2)

Here, each gamma _j is a polynomial of maximum order k-1 having coefficients in the set (0, ..., p-1). Thus, polynomial γ _j is

(3)

Here, to avoid confusion with an extension-field polynomial where the formal variable is t, another formal variable u was chosen for this polynomial. This extended field formula using polynomial base notation will be used to illustrate the present invention.

The sum of two elements α, β in GF (p ^k ) is defined by simply adding the corresponding polynomial (or equivalent vector).

(4)

Where each (integer) coefficient (α _i + β _i ) is calculated modulo p. The complexity (in terms of modulo-p operations) of adding two elements directly using the definition in equation (4) above is equal to k. For example, for a finite field GF (3 ² ) with p = 3, the field element α = (2,1) can be written by the polynomial α = 2t + 1 in vector notation, and the field element β = ( 2,2) can be written as polynomial β + 2t + 1. The sum of these field elements is (α + β) = (2 + 2) t + (1 + 2), where each coefficient is found as modulo 3 (mod 3). Therefore, the sum is reduced to (α + β) = t since 4 mod 3 and 3 mod 3 = 0.

The product of two field elements is defined by forming h (t) with the product modulus, where h (t) is a polynomial that is shorthand (ie, non-factorial) with respect to order k and GF (p).

(5)

Where δ _i = ∑ _j α _j β _ij mod p. “Mod h (t)” here means using standard polynomial division to find the remainder when dividing by h (t), which results in orders of magnitude less than h (t), that is, less than k described above. According to this definition, the complexity of multiplying two elements is clearly on the order of k ^2. In contrast, using the Karatsuba algorithm, known to those of ordinary skill in the art, approximately k ^1.6. Although multiplication may be performed by arithmetic (asymptotically to k), such an algorithm involves the execution of more computations, and therefore the Karatsuba algorithm is described as “ §4.4.3 of D. Knuth, Seminumerical Algorithms , Vol. 2 of as it is shown in the · Art of Computer Programming, 2 nd ed, Addison-Wesley, Reading, MA, 1981. ", for example, is advantageous only for large k value as k> 100.

As an example, multiplying the field elements α = (2,1) and β (2,2) of the finite field FG (3 ² ) by the polynomial h (t), which is the order k = 2 and the shorthand for GF (3), Should be chosen, where polynomials 2t + 1 and 2t + 2 are modulated by modulo h (t). A valid contract polynomial is h (t) = t ² + t + 2. At this time, α · β = (4t ² + 6t + 2) mod h (t) = 4 (t ² + t + 2) + 2t-6 = 2t (2 mod 3 = 2 and 6 mod 3 = 0 ). Therefore, α · β = 2t or (2,0) in the vector display.

For extended fields (also called composite fields), the formulas for addition and multiplication are the same. However, all coefficient-wise operations are performed on ground fields that contain polynomial calculations.

Subtraction in the finite field can be simplified by noting the negative element x in p-x in the field GF (p). Thus, the element x can be replaced by p-x to find the negative number, and the normal coefficient unit addition can be performed to find the subtraction. Division can be performed by multiplying by an inverse known in the art.

(Finite fields used in the past)

The use of finite fields is central to many applications. In particular, finite fields are very useful for communication. For example, by embedding a message in a finite field, the message can be transmitted so that an error represented by the transmission medium can be corrected at the receiving end. This is the principle behind the error correcting code. In addition, finite fields can be used to achieve protection (confidentiality, integrity, origin authentication, and non-repudiation) for messages as encryption, message authentication, and digital signature means. have.

For use, such coding and encryption operations involving finite fields must be as efficient as possible, especially when running on light platforms such as mobile phones or other portable devices. For example, many encryption methods use the following exponentiation operation.

(6)

Where g is an element in a multiplicative group of finite fields, x is an integer and “·” represents the product of a finite field. The reason for using the exp _g (x) function is that exp _g (x) can be calculated as only about (log ₂ x) ³ field products in the ground field, but any coefficient (ie polynomial-time at log ₂ x) This is because no algorithm exists for the inverse transform (finding x from exp _g (x)). The latter is known as a discrete logarithm problem. In other words, exp _g (x) is a potent candidate for so-called one-way functions (functions that are easy to calculate), but it is difficult to inverse transform. Discrete algorithm problems are well known to those of ordinary skill in the art, for example, “ Handbook of Applied Cryptography by A. Menezes, P. van Oorschot, and SA Vanstone, CRC Press, Boca Raton, Florida, 1997. "

However, on computationally vulnerable platforms, even (log ₂ x) ³ multiplications are computationally excessive, and for many of the currently recommended field sizes (i.e. key size) such calculations are in many cases for example about 30 It will take about a second. The conventional method for improving performance is to limit the calculation to binary finite fields (fields of 2). Limiting computation to binary finite fields improves performance because the most useful hardware (eg CPUs) is actually binary. Therefore, field operations may consist of basic previous operations, such as bitwise XOR, which are effectively supported directly by hardware.

In addition, De Win et al. De Win, A. Bosselaers, S. VAnderberghe, P De Gersem, and J. Vandewalle, A fast Software Implementation for Arithmetic Operations in GF (2n) , Advances in Cryptology, Proceedings of Asiacrypt'96, LNCS 1163, Springer-Verlag, Berlin, 1996, pp. As disclosed in " 65-76 ", a method for improving efficiency by performing calculations using binary extension fields of composite number (non-prime) has been studied. A standard binary hardware structure is assumed to allow for operations (normal arithmetic and bit-operation) on k bits (ie k bits in word length), where p = 2 for even odd (binary) fields. We have found that forming two with the rest of the module can be done with simple bit operations.

If n is not a prime number, the finite field GF (2n) is considered to be a “non-trivial” extension of order l over GF (2 ^k ), where n = l k and l , k> 1, so an element in a field can be written as

(7)

Here, each γ _i is an element of GF (2 ^k ). The following elements can be used to add the field elements α and β in this notation.

(8)

Since α _i and β _i are elements of GF (2k), the sum α _i + β _i can be calculated as bitwise XOR between α _i and β _i . Thus, if k is small enough to fit into a hardware register (typically k≤32), then k addition can be executed in parallel using only one operation in hardware, and the factor of k at the speed of performing the addition. Is obtained.

Multiplication using De Win et al. Is performed to indicate that the multiplication group of GF (2 ^k ) is always cyclic, which means that any non-zero element, α _j is any integer 0≤x in the field. This means that element g is in GF (2 ^k ) so that it can be written as α _j = g ^x for <2 ^k −1 (ie, x is the discrete logarithm of α _j and g is known as the generator). If k is moderately large (e.g. k < = 16), then generator g can be found by a comprehensive search. Also in this case (eg ^k ≦ 16), ANTILOG {x} of g ^x can be formed for the table, all x (where 0 ≦ x <2 ^k −1). In addition, a table for the discrete algorithm DLOG {α _j } can be formed for all non-zero α _j . That is, for all α _j and x,

(9)

And

10

The product of α and β in GF (p ⁿ ) is calculated according to the following equation.

(11)

Here, δ _i = ∑ _j α _j β _ij is calculated as the sum of the products, and all operations take place in the field GF (2 ^k ). Given ^by g ^x g ^y = g ^{x + y} , each term α _j β _ij can be calculated by three tables searching in the preliminary calculation table described above according to the following equation.

(12)

The required memory is about k · 2 ^k-2 bytes, and the number of operations to perform multiplication is order l 2 = (n / k) ² . Therefore, the factor of k ² is obtained as the speed. The method requires precomputation of the tables and memory for storing these tables. If k is moderate (e.g., k≤16), it is possible to realize such a method of using a pre-calculated operation of order 2 ^k.

On the other hand, for a finite field of odd odd number p (where p is odd prime), the situation is more complicated than binary finite fields, which is the basic operation required for odd-characteristic finite fields. This is not a modulo-2 operation (bit-operation), but rather a modulo-p operation. Additional methods such as De Win are not applicable, for example, to finite fields of odd numbers (p = 3, 5, 7, ...), and similar methods for finite fields of odd numbers are not known to the applicant. . Performing odd-numbered finite field calculations in a conventional manner involves modular arithmetic, which requires long division. Most hardware supports modular arithmetic, but at the word-oriented level. Thus, the above optimization for calculations involving binary finite fields is not realized for calculations involving odd-numbered finite fields.

For the reasons mentioned above, binary finite fields are the most widely used finite fields in error correction and cryptography. However, Applicants have found that the limitation of calculations for such binary fields can have disadvantages. For example, if the field has the number 2 (binary field) than if the field has the odd number, the algorithm for inverting the above-described exp _g (x) function is more efficient. Therefore, it can be expected that the cryptographic strength of the function exp _g (x) is smaller for binary fields than for ordinary odd-number finite fields. Indeed, the implementation of cryptography recently using finite fields of odd odd and composite orders can provide improved cryptographic security over cryptographic methods involving other finite fields, and the benefit from cryptographic security is such computational cost. It has been suggested that it can be supplemented (K. Rubin and A. Silverberg, "Supersingular Abelian Varieties in Cryptology", Crypto 2002, Lecture Notes in Computer Science, Vol. 2442, ed.M. Jung, Springer-Verlag, Berlin, pp. 336-353, 2002). In addition, in the case of binary fields of synthetic order to which the optimization described in the above-mentioned paper by De Win et al. Can be applied, attacks on elliptic curve cryptosystems on such fields have recently been described by NP Gaudry et al. As described in (NP Gaudry, F. Hess, and NP Smart "Constructive and Destructive Facets of Weil Descent on Ellipic Curves", Technical Report CSTR-00-016, Department of Computer Science, University of Bristol, Oct , 2000, and in NP Smart, "How secure are elliptic curves over composite extension field?", Technical Report CSTR-00-017, Department of Computer Science, University of Bristol, Nov. 2000.). Thus, it is desirable to avoid these synthetic order binary fields for encryption. This attack is less effective if the finite field is an odd number (even if it is non-decimal), so there is no concern in this case. However, as mentioned above, using conventional calculation methods that include odd-numbered finite fields requires the sacrifice of computational optimizations that are otherwise obtained using binary finite field structures.

1 is a block diagram illustrating a system for performing a calculation including field elements of an odd-number finite field in accordance with an exemplary aspect of the present invention.

2A is a schematic diagram illustrating a hardware register having a data storage structure configured in single-guard-bit notation in accordance with an exemplary aspect of the invention for an example of GF 3 ¹⁰ .

2B is another schematic diagram illustrating a hardware register having a data storage structure configured in single-guard-bit notation in accordance with an exemplary aspect of the invention for an example of GF 7 ⁵ .

2C is a schematic diagram illustrating a hardware register having a data storage structure configured in multi-guard-bit notation in accordance with an exemplary aspect of the present invention for an example of GF 3 ⁸ .

3 is a flow diagram illustrating a method of processing binary data representing field elements of an odd-number finite field in accordance with an exemplary aspect of the present invention.

4 is a flow diagram illustrating a method of processing binary data to determine the sum of two field elements at p = 2 ^m −1 in accordance with the method shown in FIG. 3, in accordance with an exemplary aspect of the present invention.

FIG. 5 is a schematic diagram showing register contents for an example of addition in GF 3 ¹⁰ according to the method shown in FIG. 4; FIG.

FIG. 6 is a functional block diagram of a hardware device for performing calculations representing field elements of odd-number finite fields at p = 2 ^m −1 in accordance with an exemplary aspect of the present invention. FIG.

FIG. 7 is another functional block diagram of a hardware device for performing calculations representing field elements of odd-number finite fields at p = 2 ^m −1 in accordance with an exemplary aspect of the present invention. FIG.

8A is a schematic diagram illustrating an exemplary guard-bit insertion circuit for use in conjunction with the device shown in FIG. 7 in accordance with an exemplary aspect of the present invention.

8B is a schematic diagram illustrating an exemplary guard-bit cancellation circuit for use in conjunction with the apparatus shown in FIG. 7 in accordance with an exemplary aspect of the present invention.

9 is a flow diagram illustrating a method of processing binary data representing field elements of an odd-number finite field to determine a product of elements in accordance with an exemplary aspect of the present invention.

10A is a schematic diagram illustrating a DLOG look-up table for use in the method shown in FIG. 9 in accordance with an exemplary aspect of the present invention.

FIG. 10B is an indexing table reflecting the finite-field element a (t) and the corresponding n-squared generator corresponding to the binary information shown in FIG. 10A.

FIG. 11A is a schematic diagram illustrating an ANTILOG look-up table for use in the method shown in FIG. 9 in accordance with an exemplary aspect of the present invention. FIG.

FIG. 11B is an indexing table reflecting a finite-field element a (t) and a corresponding n-squared generator corresponding to the binary information shown in FIG. 10A. FIG.

12 is a functional block diagram illustrating a hardware device for performing multiplication of field elements of an odd-number finite field in accordance with an exemplary aspect of the present invention.

13 is a schematic diagram illustrating a compression operation to compress binary data stored in registers in multi-guard-bit notation in accordance with an exemplary aspect of the present invention.

FIG. 14 is a flow diagram illustrating a method of processing binary data to determine a sum of two fields at p = 2 ^m −1 in accordance with the method shown in FIG. 3, in accordance with an exemplary aspect of the present invention. FIG.

FIG. 15 is a schematic diagram showing register contents for an example of addition in GF 5 ⁶ in accordance with the method shown in FIG. 14; FIG.

FIG. 16 is a functional block diagram of a hardware device for performing a calculation including field elements of odd-number finite fields at p = 2 ^m + 1 in accordance with an exemplary aspect of the present invention. FIG.

FIG. 17 is another functional block diagram of a hardware device for performing a calculation including field elements of odd-number finite fields at p = 2 ^m + 1 in accordance with an exemplary aspect of the present invention. FIG.

18 processes binary data to determine the sum of two field elements at p = 2 ^m −d and d ≦ (2 ^m +1) / 3 according to the method shown in FIG. 3, in accordance with an exemplary embodiment of the present invention. Flowchart showing how to do it.

19 is binary to determine the sum of two field elements at p = 2 ^m −d and (2 ^m +1) / 3 <d <2 ^m in accordance with the method shown in FIG. 3, according to an exemplary embodiment of the present invention. Flowchart showing how to process data.

20 illustrates a method of processing binary data to determine the sum of two field elements at p = 2 ^m + d and d ≦ p / 6 according to the method shown in FIG. 3, in accordance with an exemplary embodiment of the present invention. Flowchart.

21 processes binary data to determine the sum of two field elements at p = 2 ^m + d and p / 6 <d <2 ^m −1 according to the method shown in FIG. 3, in accordance with an exemplary embodiment of the present invention. Flowchart showing how to do it.

22 is a block diagram of a system for performing error correction, in accordance with an exemplary aspect of the present invention.

23 is a flowchart illustrating a method of performing error correction, in accordance with an exemplary aspect of the present invention.

24A is a functional block diagram illustrating a system for performing encryption / decryption, in accordance with an exemplary aspect of the present invention.

24B is a flow diagram illustrating an exemplary encryption method in accordance with the present invention.

25 is a flow diagram illustrating an exemplary method of performing a key exchange in accordance with the present invention.

Figure 26 is a flow diagram illustrating an exemplary method of public key cryptography in accordance with the present invention.

Figure 27 is a flow diagram illustrating an exemplary method of public key cryptography in accordance with the present invention.

Figure 28 is a flow diagram illustrating an exemplary method of public key cryptography in accordance with the present invention.

Although the available hardware has binary characteristics, it can speed up computations involving basic finite field operations (ie, addition, multiplication, etc.) for non-binary finite fields, and special modulo-p hardware. Applicants have found that there is a need for a calculation method that reduces the need for this. Applicants have also found that there is a need for computational methods for non-binary finite fields that utilize register space more efficiently than conventional methods. For example, a 32-bit CPU can be used to perform conventional modulo-p arithmetic, but if p is small (e.g. p = 3 or p = 7), the amount involved (field element count) is only 2 Or 3 significant bits, so it is inefficient to devote 32 bits of register space for the operation. Applicants have found that it is desirable to use the available register space more effectively given the very small number involved. The present invention realizes and provides these and other needs, as will become apparent to those skilled in the art from the detailed description with reference to the accompanying drawings.

As used herein, the terms “comprises” and “comprising” are intended to specify the presence of the described features, integers, steps, and components, the use of which is one or more other features, It is not intended to exclude the presence or addition of integers, steps, components, or groups thereof.

In one typical aspect of the present invention, an encryption method is provided. The method includes storing binary data representing at least a portion of the field elements of the odd-number finite field GF (p ^k ) in a register, where p is an odd number and the field elements are in accordance with polynomial-based notation. k coefficients, wherein the binary data includes multiple groups of data bits, where each group of data bits represents an associated one of the k coefficients. The method includes processing binary data in accordance with an encryption algorithm such that multiple groups of data bits are processed in parallel. An encryption apparatus provided as another aspect of the present invention includes a key source and a hole-number finite-field encryption unit coupled with the key source, wherein the hole-number finite-field encryption unit is configured to execute the steps of the above method. do. A computer readable carrier is also provided that is adapted to program a computer that executes the method. Typical forms of computer-readable carriers include solid-state memory, magnetic disks, optical disks, or modulated waves, including a suitable set of computer instructions that cause a processor to perform the above steps. wave). For example, the modulated wave can be a radio modulated wave, an audio frequency modulated wave, a wide frequency modulated wave, or a modulated binary bit stream, which can be downloaded via a network connection or a modem.

In another exemplary aspect of the present invention, a key exchange method is provided. The method includes generating a number xA (eg, a random integer). The method also includes generating and transmitting yA, where yA = g ^xA , g is an element on F or an point on an elliptic curve for F, and F is an odd-number finite field GF (p ^k ) or GF is an extended field of (p ^k ), p is an odd number, where g includes a plurality of first basis coefficients, and the first basis coefficient is an element of GF (p), where of g many first basis coefficients A multiple group of first data bits representing at least a portion is stored in a first register and processed in parallel to produce yA. The method also includes receiving yB, where yB = g ^xB , where yB comprises a plurality of second basis coefficients, the second basis coefficients being an element of GF (p). The method also includes storing multiple groups of second data bits indicative of at least some of the plurality of second basis coefficients of yB in a second register, and processing the multiple groups of second data bits in parallel such that K = (yB ), including the step of calculating ^xA, to generate the secret key. There is provided an encryption device, comprising a memory, configured to execute the method, and a processing unit coupled to the memory. Also provided is a computer readable carrier adapted to program a computer executing the method.

Another typical aspect of the invention is a public key encryption method. The method includes obtaining a public key yA associated with the first communicator, where yA = g ^xA , where xA is the private key of the first communicator and g is an element of the finite field F or an elliptic curve for F Is a point in phase, F is an odd-number finite field GF (p ^k ) or an extended field of GF (p ^k ), p is an odd number, where yA includes a plurality of first basis coefficients, where g is a plurality of And a second basis coefficient, wherein the first and second basis coefficients are elements of GF (p). The method also generates the number r and u = g ^r and calculating the amount of pairs (u, v) in v = f ⁻¹ (P) * (yA) ^r , where P represents a plaintext message in a set of plaintext messages, and f is for F A mapping function that maps at least a portion of vector space to a set of plaintext messages, where * indicates a binary operation in the vector space, where a first data bit representing at least a portion of the plurality of first basis coefficients of yA Multiple groups are stored in a first register and processed in parallel to calculate v. The method further includes transmitting the (u, v) amounts of the pair to the first communicator, where the amount of the pair corresponds to an encrypted version of the plaintext message. There is provided an encryption device, comprising a memory, configured to execute the method, and a processing unit coupled to the memory. Also provided is a computer readable carrier adapted to program a computer executing the method.

As used herein, the term “in accordance with a polynomial basis representation” is intended to include any notation that is mathematically equivalent to, for example, polynomial basis notation, including vector notation. do.

The present invention provides a method for effectively performing arithmetic and logical operations comprising finite field GF (p ^{l k} ) (extended field) elements where p is an odd prime number. As will be described in detail below, one aspect of the present invention is tailored to how data representing elements of field GF (p ^k ) is stored in binary hardware and how arithmetic operations are performed effectively. As mentioned herein, the finite field GF (p ^k ) should be understood to mean an odd odd number finite field where the odd number p is odd.

Various aspects of the invention will be described in greater detail below through numerous preferred embodiments. In order to facilitate understanding of the present invention, various embodiments of the present invention are described as operations executed by elements of a computer system. Further, in each of the present embodiments, the various operations may be performed by specific circuitry (e.g., discrete logic gates connected to each other to execute a particular function), by program instructions executed on one or more processors, or by a combination of the two. Can be executed. The invention also provides a computer, such as a solid-state memory, a magnetic disk, an optical disk, or a modulated wave, which includes a suitable set of computer instructions to allow a processor to execute the techniques described herein. It is contemplated to be additionally fully implemented within any form of computer-readable carrier. For example, the modulated wave may be a radio frequency modulated wave, an audio frequency modulated wave, an optical frequency modulated wave, or a modulated binary bit stream, which may be downloaded via a network connection or a modem. Accordingly, various aspects of the invention may be embodied in many different forms, all such forms being intended to be within the scope of the invention. For each of the various aspects of the invention, some form of embodiment is referred to as “logic configured to” to perform the described operation, or alternatively “logic that” to perform the described operation. do.

GF (p ^k) before speaking about an aspect of the invention involving the calculation including the element itself, to an arithmetic operation in the field GF (p ^k) coupled to the arithmetic operations in the extension field GF (p ^{l k)} The algorithm is described first. ^{Given the} order l and the polynomial f (t), which is the contract for GF (p ^k ), is the element of GF (p ^{l k} ) operated at high level, and α (= ∑ _i α _i x ⁱ , α _i in GF ( p ^k )) and β (= ∑ _i β _i x ⁱ , β _i in GF (p ^k )), and the addition algorithms SUM (α, β) and multiplication PRODUCT (α, β) yield GF (p ^{l k} ), provided below. In this algorithm, the expression GF_p_k <op> (α _i , β _j ) represents a procedure for performing an operation <op> (addition, multiplication, etc.) on the field elements α _i and β _j in the field GF (p ^k ).

First, an addition algorithm, denoted as SUM (α, β), which combines the addition of the elements α and β of the extended field GF (p ^{l k} ) to the calculation performed in the field GF (p ^k ) is given as follows.

Here, GF_p_k_ADD will be described in detail below.

In addition, a multiplication algorithm, represented by PRODUCT (α, β), which combines the multiplication of the elements α and β in the extended field GF (p ^{l k} ) by the calculation performed in the field GF (p ^k ), will be described. Here, it is assumed that necessary initialization of the DLOG and ANTILOG tables has already been executed. The form of the DLOG and ANTILOG tables is described below. In addition, typical DLOG and ANTILOG tables are shown in FIGS. 10A and 11A as simple examples for the GF 3 ² described below.

Here, GF_p_k_MUL and REDUCE (δ, f) (the latter calculates z (t) mod f (t)) will be described in detail below.

It should be noted that the multiplication algorithm described above is merely one example of a possible multiplication algorithm. For large values of l (e.g., l > 100), the Karatsuba method may be used instead of the simple PRODUCT algorithm described above to achieve faster performance. The Karatsuba method is well known in the art and is described, for example, in “ Seminumerical Algorithms ” described above.

Finally, the reduction operation necessary to complete the multiplication algorithm, PRODUCT (α, β), can be executed in conjunction with the well-known algorithm indicated below as REDUCE (δ, f). This algorithm is also useful in the method of the present invention for efficient arithmetic in field GF (p ^k ) which will be described later. For computational efficiency f (t) may be chosen to “sparse,” meaning that f (t) has only some non-zero coefficient (eg, 3 non-zero coefficient). F (t) is formed by f (t) = f _l t ^l + f _j t ^j + f ₀ for some j between l and 0. However, it is generally necessary to make f (t) lean. It should be noted that for any value l , the contract polynomial f (t) of order l can be easily found by methods known in the art A general method of determining the contract polynomial f (t) is for example described above. One can be found in “ Seminumerical Algorithms ”. Recalling these comments, the abbreviation algorithm indicated by REDUCE (δ, f) is as follows.

The REDUCE algorithm is a normal polynomial division algorithm that is adapted for the special form of f (t) given above. It should be noted that tmp1 and tmp2 can be precomputed because they are fixed at a time in a given notation, i.e. f (t) is defined at one time. The function GF_p_k_SUB refers to field subtraction in the field GF (p ^k ), the function GF_p_k_INVERSE refers to multiplicative inverse computation, both of which facilitate the given algorithm for GF_p_k_ADD and GF_p_k_MUL, I will explain.

 An exemplary apparatus 100 for implementing the above algorithms and implementing other aspects of the present invention is described with reference to the block diagram of FIG. The apparatus 100 includes a memory 101 and a processing unit 105 coupled to the memory 101. The apparatus 100 also includes an input / output element 103. The processing unit 105 is composed of a plurality of registers 107-121 controlled by a logic circuit (not shown) in the processing unit. The processor 105 may communicate with the input / output device 103 and the memory 101 through an electrical connection (eg, an electric bus) indicated by an arrow in FIG. 1. The processing unit 105 may communicate with an external register (not shown) outside the processing unit 105.

As processing unit 105, for example, any conventional type of processing unit such as a Pentium-class processor or other CPU typically used in personal computers, or special purpose processing unit used in a cordless phone or other portable element. Can be used. Conventional processors used in personal computers commonly have eight general purpose registers, as shown by eight registers 107-121 (also denoted by registers a-h) in FIG. For example, register 107 may be an 8-bit register, a 16-bit register, a 32-bit register, a 64-bit register, or the like. The current generation of processors for conventional personal computers commonly have 32-bit registers.

As the memory 101, a suitable memory capable of storing a computer program, for example, a magnetic disk, a CD ROM, a magneto-optical disk, a flash memory or another kind of memory can be used. In addition to storing computer programs, the memory 101 may be used to store intermediate or final calculation results generated by the processing unit 105 and store look-up tables used during calculations. It can also be used to.

As the input / output element 103, for example, a hard-wired modem or network interface, a wireless modem, a second memory, an analog-to-digital-to-analog (AD / DA) converter, or another similar kind of element. Appropriate elements for transferring data from and / or to the processing unit 105, such as, may be used. If necessary, separate input and output devices can be used instead of combined input and output devices. The input / output element 103 may also be configured to perform guard-bit insertion and guard-bit removal. Guard-bit insertion and guard-bit removal are described later in connection with FIGS. 8A and 8B as an example.

In one aspect, the memory 101 may store one or more computer programs, and the processing unit 105 may connect to the memory 101 to execute the steps of the computer program (s). Such a computer program may include, for example, a program representing the algorithm described above and a program implementing other aspects of the present invention as described below.

In addition, although a single processing system 100 having a single processing unit 105 is shown in FIG. 1, the processing system 100 may include a multiple processing unit 105. It must be understood. In addition, the present invention may be implemented using a multiprocessing system instead of the single processing system 100.

The remainder of the detailed description, in that for storing binary data representing a field element of GF (p ^k) in the hardware registers, improve the speed of the arithmetic operations including a field element of GF (p ^k), such binary data It will be focused on describing the method according to the invention for performing the operation with. In this regard, algorithms GF_p_k_ADD and GF_p_k_MUL for adding and multiplying the field elements of GF (p ^k ) will be described. Also, other apparatus for implementing the method will be described.

According to one aspect of the present invention, the apparatus 100 shown in FIG. 1 has an odd number finite field in a manner that improves the computational efficiency as compared to conventional methods of performing calculations involving field elements of odd number finite fields. Can be used to perform calculations involving field elements of GF (p ^k ). In particular, the processing unit 105 is configured to store binary data representing at least a part of the field elements of the odd number finite field GF (p ^k ) in a register such as the register 107 shown in FIG. 1 (eg, a program). do). Where P is an odd number and the field element contains the k coefficient according to polynomial basis notation. The processing unit 105 and the register may also be viewed as a means for storing binary data displayed in at least part of the field elements of the GF (p ^k ). Binary data consists of a plurality of groups of data bits, where each group of data bits represents an associated one of the k coefficients. Thus, binary data representing multiple coefficients of field elements of odd odd finite field GF (p ^k ) can be put into a single hardware register in accordance with aspects of the present invention. In contrast, conventional methods for performing calculations involving field elements of odd odd finite fields only place binary data indicative of a single coefficient of odd odd finite fields in a single hardware register.

Further, the processing unit 105 is configured to execute at least one operation on the contents of the register 107 described above, so that a plurality of groups of data bits are processed in parallel. For example, even if only a few are listed, one or more operations may include shift operations, addition operations, binary subtraction operations, logical AND operations, and NOT operations (negative logic). In this regard, the processing unit 105 may be viewed as a means for executing at least one operation on binary data such that multiple groups of data bits are processed in parallel. Thus, by storing binary data representing multiple coefficients of the field elements of GF (p ^k ) in a single hardware register, and processing multiple groups of data bits in parallel, the computational speed in accordance with the present invention is achieved in fields of odd odd finite fields. This can be greatly increased compared to conventional methods for calculations involving elements. For example, if all k coefficients of the field elements of GF (p ^k ) are represented in a single hardware register, such as the register 107 shown in FIG. 1, the speed of processing binary data representing the field elements is a conventional method. Can be increased by a factor of addition k and multiplication k ² .

Multiple coefficients of the field elements of GF (p ^k ) can be stored in a single hardware register using two typical methods in accordance with the present invention. These methods are referred to herein as single-guard-bit representations and multiple-guard-bit representations, respectively, each of which has different advantages as described below. Have. In the description of each of these notations, the structure of the hardware is capable of performing basic arithmetic and logical operations on the w-bit word, i.e. the hardware register becomes a w-bit register for w≥k (m + 1). Assume, where binary data representing the entire field element will be stored in a single register. In the conventional sense, this means that the hardware structure can perform arithmetic and logical operations on binary encoded integers in the range of (0 ... 2 ^w -1). In principle, a large value of w is preferred because more information can be processed per operation. Bit positions are numbered from right to left, where the least significant bit is denoted by "0", the next bit is denoted by "2", and the most significant bit (word size) is "w". -1 ".

An example of single-guard-bit notation is shown in Figures 2A and 2B for a 32-bit hardware register. 2A shows a hardware register having a data storage structure for storing binary data representing the field elements α _i = (α _{9, i} ,..., Α _{1, i} , α _{0, i} ) of GF (3 ¹⁰ ). Schematic diagram of 200.

In the example of FIG. 2A, ten groups of bit positions 201-r (unshaded bit positions) represent the data bits representing the field coefficients α _{9, i} , ..., α _{1, i} , α _{0, i} . 10 groups are allocated to store. Two bit positions are allocated to store binary data representing each coefficient α _{j, i} (suffice since α _{j, i} ≦ 3 <2 ² ). Groups of data bits representing the coefficients α _{0, i} are stored in bit positions 0 and 1 (to the right). Another group of data bits representing the coefficients α _{1, i} are stored in bit positions 3 and 4. The 10 bit position 203-r is also assigned to store the “guard bit (light shaded area)” initially assigned a binary value of zero. In the example of FIG. 2A, bit positions 2, 5, 8, and the like are assigned guard bits. The guard bit position (also known as the separating-bit position) allows to separate binary data representing the field coefficients and to accept any carry bit from the immediately preceding group of bit positions 201-r. For example, when an arithmetic and logical operation is performed, a carry bit from the group of bit positions 201-1 prevents carry over to an adjacent group of bit positions 201-2, and instead, guard-bit position 203 Pass carry by -1 Also, in the example of FIG. 2A, the two most significant bit positions 205 in the register 200 are not used (dark shaded areas). In general, the unused bit position is the most significant bit position. However, unused bit positions can also be placed in the least significant bit positions. If the unused bit position is at the most significant bit position, there is no need to assign any particular value to the unused bit position. Otherwise, unused bit positions must be initially assigned to zero.

In the example of FIG. 2A for GF (3 ¹⁰ ), the ground field is GF (3), and the following mapping can be applied between the integer value of each coefficient and the corresponding binary data (the values in parentheses are binary data): 0-(0,0); 1 to (0, 1); 2 ~ (1,0); 3 ~ (1,1), where 3 also corresponds to 0 (since 3 mod 3 = 0). Thus, in one aspect of the present invention, a dual notation is provided in which two different numbers in GF (p) (3 and 0, p = 3 in this example) are represented by the same value (zero). In GF ( ^3k ) two binary bits are used to represent each coefficient of the field element. For GF (p ^k ), in general, the number of bits used to represent the coefficient of the field element depends on the p value. If p is given by p = 2 ^m −1, then m binary bits (not including guard bits) are used to indicate each coefficient of the field element.

Another example of single-guard-bit notation is shown in FIG. 2B. 2B is a schematic diagram of a hardware register 210 having a data storage structure for storing field elements α _i = (α _{4, i} ,..., Α _{1, i} , α _{0, i} ) of GF (7 ⁵ ). . In the example of FIG. 2B, five groups of bit positions 211-r (non-shaded bit positions) are assigned to store binary data representing the field coefficients α _{4, i} , ..., α _{1, i} , α _{0, i} do. In this example, p = 7 = 2 ^m −1. Therefore, m = 3, three bits (not including guard bits) are allocated to store binary data representing each coefficient α _{0, i} . Binary data representing coefficients α _{1, i} are stored in bit positions 4, 5, 6 and the like.

In the example of FIG. 2B for GF (7 ⁵ ), the ground field is GF (7), and the following mapping can be applied between the integer value of each coefficient and the corresponding binary data (the values in parentheses are binary data): 0 to (0,0,0); 1 to (0,0,1); 2 ~ (0,1,0); 3 to (0, 1, 1); 4 to (1,0,0); 5 to (1, 0, 1); 6 to (1, 1, 0); And 7 ~ (1,1,1), where 7 also corresponds to 0 (since 7 mod 7 = 0). Thus, the present invention provides a dual notation for representing two different numbers (7 and 0 in this example, p = 7) in GF (p) with the same value (zero).

In addition, in the example of FIG. 2B, the 5-bit position 213-r is allocated to store the "guard bit (light shaded area)" initially assigned a binary value of zero. In addition, bit positions 3, 7, 8, 11, and the like are allocated as guard bits. Also, in the example of FIG. 2B, the 12 most significant bit positions 215 in the register 210 are not used (dark shaded areas).

An example of multi-guard-bit notation is shown in FIG. 2C. 2C is a schematic diagram of a hardware register 220 having a data storage structure for storing field elements α _i = (α _{7, i} ,..., Α _{1, i} , α _{0, i} ) of GF (7 ⁸ ). . In the example of FIG. 2C, eight groups of bit positions 221-r (non-shaded bit positions) are assigned to store binary data representing the field coefficients α _{7, i} , ..., α _{1, i} , α _{0, i} Adjacent groups of bit positions 221-r are separated by groups of two guard bit positions 213-r (light shaded bit positions). In this example, p = 3 = 2 ^m −1. Therefore, m = 2, two bits (not including guard bits) are allocated to store binary data indicative of each coefficient α _{j, i} . Binary data representing the coefficients α _{0, i} are stored in bit positions 0 and 1 (to the right). Binary data representing coefficients α _{1, i} are stored in bit positions 4, 5, 6 and the like. Eight groups of bit positions 223-r are allocated to store each of the two guard bits, initially assigned a binary value of zero. In the example of FIG. 2C, bit positions 2, 3, 6, 7, 8, 10, 11, and the like are allocated for the guard bits. There is no unused bit in this example.

Typically, it is desirable to store binary data representing the entire field element of GF (p ^k ) in a single hardware register 107. However, if the field element is large enough that the binary notation exceeds the storage capacity of a single register, it is desirable to store binary data representing at least a portion of the field element in register 107. The arithmetic and logical operations described above can be implemented in combination with operations in multiple registers that together store binary data representing a single field element of GF (p ^k ). For example, if two registers are used to store binary data representing a single field element of GF (p ^k ), then for all binary data, the least significant bit in the left register is shifted toward the most significant bit of the right register. The right shift by m bits can be performed in combination with the two registers. (The terms "right-hand" and "left-hand" refer only to registers in the sense that the left-most-bit position in the register corresponds to the most significant bit position. The term is not intended to indicate that one register is physically located to the left of the other register.) However, two registers are used to store binary data representing field elements. It should be noted that if an unused extra bit is present in the most significant bit of the right register, a right-shift operation must be performed to skip over the unused extra bit.

According to another aspect of the present invention, the system 100 shown in FIG. 1 may be configured to perform the steps in the flowchart shown in FIG. 3. 3 shows a method 300 that includes a number of steps that may be executed by the processing unit 105 shown in FIG. 1. As in step 301 shown in FIG. 3, the processing unit 105 stores the first binary data indicating the first field element of the GF (p ^k ) in the first register (for example, the register 109). Odd number). Here, the first binary data includes k groups of first data bits, each group of first data bits corresponding to an associated one of k coefficients of the first field element. Similarly, as in step 303, processor 105 stores second binary data representing a second field element of GF (p ^k ) in a second register (e.g., register 111). Here, the second binary data includes k groups of second data bits, each group of second data bits corresponding to an associated one of the k coefficients of the second field element. In addition, as in step 305, the processing unit 105 performs the content of the first register and the content of the second register such that k groups of the first data bits are processed in parallel and k groups of the second data bits are processed in parallel. Generate third binary data by executing at least one operation on the. For example, to list just a few, the operations or operations mentioned in step 305 include addition operations, subtraction operations, shift operations, logical AND operations, and NOT operations. Combinations of these operations may be performed such that, for example, a third field element equal to the sum of the first and second field elements or a third field equal to the product of the first and second field elements, as described in detail below. Generate third binary data representing the element.

At least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is from an adjacent group of first data bits by corresponding at least one first guard bit. To be separated, a k group of first data bits may be configured in the first register 109. At least one second guard bit is located adjacent to the most significant bit of each group of second data bits, and each group of second data bits is from an adjacent group of second data bits by the corresponding at least one first guard bit. To be separated, a k group of second data bits may be configured in the second register 111. In addition, at least one third guard bit is located adjacent to the most significant bit of each group of third data bits, and each group of third data bits is adjacent to the third data bit by at least one third guard bit corresponding thereto. To be separated from the group, the third binary data may comprise a k group of third data bits stored and organized in a third register (eg, register 113). In this regard, the third field element includes k third coefficients according to polynomial-based notation, with each group of third data bits representing an associated one of the k third coefficients. (In the description above, “first”, “second” and “third” are used as labels.)

The processor 105 and the first register (eg, register 109) can be viewed as a means for storing first binary data representing the first field element of GF (p ^k ). The processing unit 105 and the second register (eg, register 111) can be viewed as a means for storing second binary data representing the second field element of GF (p ^k ). The processing unit 105 and the third register (eg, the register 113) may be viewed as a means for storing third binary data representing the third field element of the GF (p ^k ). The processing unit 105 means for executing at least one operation on the first binary data and the second binary data such that k groups of first data bits are processed in parallel and k groups of second data bits are processed in parallel. Can be seen.

In step 307, it is determined whether additional data should be processed. If additional data should be processed, the process returns to step 301. If further processing involves processing binary data already stored in a manner consistent with steps 301 and / or 303 as a result of another calculation, steps 301 and / or 303 may be skipped as appropriate. If it is determined in step 307 not to process additional data, the algorithm ends.

An exemplary method of performing step 305 shown in FIG. 3 is described. Step 305 may be executed using, for example, algorithm GF_p_k_ADD or algorithm GF_p_k_MUL described below. GF_p_k_ADD and GF_p_k_MUL were mentioned in the above descriptions for the algorithms SUM (α, β), PRODUCT (α, β) and REDUCE (δ, f). As described below, the particular aspect of the algorithm for both GF_p_k_ADD and GF_p_k_MUL depends on the functional form of the arithmetic value p, and also on whether a single guard-bit notation or multiple guard-bit notation is used. In particular, certain aspects of this algorithm depend on which integer m is written, p = 2 ^m −1, p = 2 ^m +1, p = 2 ^m for which integer d. The integer d is chosen such that d <2 ^m −1. However, selecting d smaller (e.g. d &lt; p / 6) has some advantages, as described below. Thus, for the typical form for GF_p_k_ADD and for the typical form for GF_p_k_MUL, reference is made to the functional form of the surface value p and described below with reference to whether single-guard-bit notation or multi-guard-bit notation is used. .

In view of the comments above, there is a question as to whether the form of GF_p_k_ADD or the form of GF_p_k_MUL should be used when a given odd decimal number p can be written more than one function form. For example, p = 5 can be written as p = 2 ^m + 1 for ^m = 2 and p = 5 can also be written as p = 2 ^m -d for m = 3 and d = 3. In general, it is preferable to use the method for p = 2 ^m −1 rather than for the other two functional forms. It is also preferable to use the method for p = 2 ^m + 1 rather than the method for p = 2 ^m ± d with d> 1. In general, for p = 2 ^m ± d, it is preferable to select the odd number d, and the closer to 1 as possible, the better. Given a p value, try for all m = 1, 2, ..., (2log2 (p)), and choose d that satisfies p = 2 ^m ± d until we find a small d for each m By doing so, good (m, d) pairs can be found.

Addition using single-guard bit notation, p = 2 ^m -1

If p = 2 ^m -1, describe GF_p_k_ADD for single-guard-bit notation, and add the full addition of the two field elements in GF (pk) containing the relevant modular abbreviations (ie, each field element). K addition to the k coefficient of s) can be implemented with a small, fixed number of operations (no need for modular division requiring long division) in a hardware structure with at least w = k (m + 1) bitword size Indicates. For example, for a 32-bit structure, full addition in GF 3 ¹⁰ can be performed using only 5 instructions.

In single-guard bit notation, the first binary data representing the first field element α _i = (α _{k-1, i} , ..., α _{1, i} , α _{0, i} ) of GF (p ^k ) is Binary data representing α _{0, i} from bit positions 0 to m-1 such that a group of data bits representing one field coefficient is separated by one bit position from an adjacent group of data bits representing another field coefficient , Binary data representing α _{1, i} from bit positions m + 1 to 2m, and so forth, are stored in a first single hardware register (e.g., register 107 in FIG. 1). Second binary data representing the second field element β is likewise stored in a second single hardware register (eg, register 109). Bit positions v (m + 1) -1 (where v = 1, 2, ..., k) are allocated to separate binary data representing coefficients α _{0, i} , α _{1, i} and the like. This position is called the guard-bit position or split-bit position and is initially assigned a value of "0". An example of storing binary data according to the single-guard-bit notation for the w = 32-bit structure is shown in Figures 2A and 2B, which have already been described for the elements of fields GF (3 ¹⁰ ) and GF (7 ⁵ ), respectively. For example, in FIG. 2A for GF 3 ¹⁰ , a 2-bit position is reserved for each α _{j, i} (suffice since α _{j, i} ≦ 3 <2 ² ).

As first and second binary data representing the first and second field elements of GF (p ^k ) stored in the first and second registers, respectively, the operation can be performed to determine the sum of the first and second field elements. have. The contents of the first and second registers are referred to as a and b, respectively. With M2 as a binary quantity of "1" bits only at position j (m + 1) -1 (j = 1, 2, ... k) and elsewhere "0" (that is, M2 = 2 ^m +2 ^{2m + 1} + ... + 2 ^{k (m + 1) -1} ), M1 = MOT (M2) (bitwise negation) Let M1 be the binary amount given. The sum of the first and second field elements can be determined by performing the operation given in equation (13).

(13)

Where "&" represents a bitwise logical AND, ">>" represents a right shift, "+" represents a carry-added, and c is equal to the sum of the first and second field elements. The register content is composed of third binary data representing a third field element. The operation reflected in equation 13 can be executed in any way desired. For example, an intermediate quantity (a + b) can be stored in a given register and the given register can be overwritten with the final result given by the quantity c such that the operation (a + b) is executed only once. have. Binary amounts M1 and M2 can be thought of as mask amounts, which, when combined with the amount (a + b) through each logical AND operation, as in Equation 13, result in binary amounts M1 and M2 being the amount ((a + b). This is because the bits are masked out (set to zero) at specific bit positions in &quot; & M1) and ((a + b) & M2). Binary amount M1 masks out a bit at the amount ((a + b) & M1) corresponding to the guard-bit position. Binary amount M2 masks out a bit at the amount ((a + b) & M2) corresponding to a non-guard-bit position.

When Equation 13 is executed with guard bits at positions m, 2m + 1, etc. _, α _{j + 1, i} (or β _{j +} ) from the m-bit segment corresponding to any α _{j, i} (or β _{j, i} ). Carry bit is not transmitted to the segment indicating _{1, i} ). Thus, the field-element sum is actually calculated in component-wise, modulo p, for α _i and β _i . Mask operation by M1 ensures that the result has the correct notation with zero at the guard-bit position. In the above discussion, M2 is first determined and then M1 is defined as the term of M2. However, M1 is first determined as a binary amount having a value of 0 at the bit position corresponding to the bit position of the first guard bit stored in the first register and a value of 1 otherwise, and then M2 is determined as M2 = NOT (M1). The same may be done.

An example of this form of GF_p_k_ADD when p = 2 ^m −1 is shown in the flowchart of FIG. 4. The operation shown in FIG. 4 may be executed by a system such as system 100 shown in FIG. First binary data representing the first field element of GF (p ^k ) is stored in a first register (e.g., register 107 shown in FIG. 1), and a second register (e.g., register 109) is stored in the first register (e.g., register 107 shown in FIG. It is assumed that the steps 301 and 303 in FIG. 3 have already been executed in the processing unit 105 so that the second binary data representing the two field elements is stored. The steps shown in FIG. 4 indicate a typical implementation of step 305 shown in FIG.

As shown in step 401, the processing unit 105 adds the content a of the first register 107 and the content b of the second register 109. The addition can include a carry in the next most significant bit given if necessary. The result of the addition may be stored in another register 111. As shown in step 403, the processing unit 105 performs a logical AND operation between the amount (a + b) stored in the register 111 and the first predetermined binary amount M1 stored in one of the registers (e.g., 113). Run The quantity M1 has a value of 0 at a bit position corresponding to the bit position of the first guard bit stored in the first register 107 and corresponds to the bit position of the group of the first data bit stored in the first register. Has a value of 1. The result of this operation may be referred to as the first intermediate data c1 and is stored in one of the registers (eg, register 115).

As shown in step 405, the processing unit executes a logical AND operation between the amount (a + b) stored in the first register 111 and the second predetermined binary amount M2 where M2 is given by M2 = NOT (M1). . The NOT operation is a bitwise logical operation. The result of this operation is stored in one of the registers (eg, register 117). Also in step 405, the processing unit 105 performs a right shift by m bits for the amount given by ((a + b) & M2). The result of this operation is stored in the same register 117 or another register. The result of this operation may be said to be the second intermediate data c2 as shown in step 405. In step 407, the processing unit adds between the first intermediate binary data c1 and the second intermediate binary data c2 to generate the third binary data c, which is one of the registers (eg, Register 119). According to this method, the second binary data c represents the sum of the first field element and the second field element.

The algorithm according to FIGS. 3 and 4 has been described as a specific series of steps for ease of explanation. However, it is not necessary to carry out the steps shown in Figs. 3 and 4 in the order shown. One of ordinary skill in the art appreciates that the order of the steps can be changed and some of which can be executed concurrently. For example, steps 301 and 303 of FIG. 3 may be executed simultaneously, and steps 403 and 405 of FIG. 4 may be executed simultaneously.

By considering the following special case for k = 1, one can further understand the aspects of the typical form for GF_p_k_ADD described above. In the above description, the number “0” has two notations, 0 itself and p = 2 ^m −1. It is necessary to take this duality into account during input and output operations. Given p = 0 mod p, there is no mathematical problem with this double notation. In this double notation, integers can be added to modulo p by

(14)

Here, div 2 ^m is a function of returning to the floor of the quotient when the divisor is 2 ^m . In other words, the sum of a and b (in dual notation) is a + b if a + b <2 ^m, otherwise the sum is ((a + b) mod 2 ^m ) +1. Thus, in these two cases (depending on whether the sum is less than 2 ^m or not), the formula (a + b) mod p = [(a + b) mod 2 ^m ] + [(a + b) div 2 ^m ] Together. Since the modular and divisors are each powers of two, it can be seen that (a + b) ≦ 2 (2 ^m −1) = 2 ^{m + 1} −2 and the mod and div operations can be effectively executed as bit operations. Thus, given a hardware structure capable of performing operations on (at least) m + 1 bits, and given a double notation for a and b, the amount (a + b) mod p (in dual notation) is Can be determined according to 15.

(15)

Since a + b <2 ^{m + 1} −2, when w is a register size, if w≥m + 1, the result of executing Expression 15 does not overflow. Thus, instead of one addition and one modular abbreviation (long division) by p, five simple operations are performed if the amounts 2 ^m and 2 ^m-1 are fixed and can be considered constant bit-masks. In the discussion above, we assume k = 1 to facilitate the discussion. Of course, the invention can be practiced using k values greater than one. Nevertheless, a discussion of k = 1 can understand the form of GF_p_k_ADD and the choice of binary amounts M1 and M2 according to the invention used when k is greater than one.

In addition, the dual notation in which the number “0” is represented by 0 itself and p = 2 ^m −1 facilitates determining the sum of two field elements according to the above-described method. As mentioned above, instead of determining the sum of two field elements using one addition and one modular short (long division) by p, double notation uses five simple operations on binary data representing two field elements. Use to determine the sum.

Regarding the extension field GF (p ^{l k} ), as described above for the discussion of SUM (α, β) and PRODUCT (α, β), the elements of each extension field are represented by a vector of length l (polynomial) Where each component (coefficient) is an element of GF (p ^k ) and can be stored according to a single guard-bit notation as described above. Adding two elements in the extended field GF (p ^{l k} ) may be performed using a 5 l operation instead of an l k operation, as required when using conventional methods. Therefore, even with a relatively small k value, a significant increase in the calculation speed can be achieved.

Further, as described below, the typical form for GF_p_k_ADD described above may also apply to binary data stored according to the multi-guard-bit notation for p = 2 ^m −1.

(Example 1)

An example of numerical values describing the method shown in FIGS. 3 and 4 is shown in FIG. 5. The operation described below can be executed using a system such as the system 100 shown in FIG. 1 already described. FIG. 5 shows the register contents obtained by performing the operation as described above with respect to FIGS. 3 and 4. In Fig. 5, reference numerals 501-517 are 32-bit registers, and the binary data stored in registers 501-517 are organized according to a single guard-bit notation. Further, in this example, the binary data represents the field element of the finite field GF (3 ¹⁰ ), and the surface number p is given by p = 2 ^m −1 = 3. Thus, M = 2 and a 2-bit register space is allocated for each coefficient of finite field element. A single guard bit (light shaded bit position) separates adjacent binary data representing the adjacent coefficients of finite field elements. Also in this example, there is a register space (dark shaded bit position) of two unused bits in the most significant bit position of each register 501-517.

In this example, the first binary data a representing the first field element (2,2,0,2,0,3,2,2,0,0) (vector display) and the second field element (0) Second binary data b representing, 1,2,2,0,2,1,3,0,0 (vector display) is stored in the first and second registers 501 and 503, respectively (step 301, 303). Each coefficient of the field element is an element of the ground field GF (3) itself, and each coefficient is represented by binary data according to the following combination. That is, 0 to (0,0); 1 to (0, 1); 2 ~ (1,0); 3 ~ (1,1). Double notation is provided, where two different numbers in GF (p) (3 and 0 in this example p = 3) represent the same value (0). Thus, the binary data given by (1,1), corresponding to 3, represents 0 (since 3 mod 3 = 0). Each guard-bit position in registers 501 and 503 is initially assigned a zero value.

Register contents a and b stored in registers 501 and 503 are added via addition (corresponding to step 401), respectively. As a result, (a + b) is stored in the third register 505. The content (a + b) of the register 505 is combined with a logical AND operation with the content of the register 507, where the amount M1 is stored, and the result c1 = (a + b) & M1 is stored in the register 509 (Corresponds to step 403). The amount M2 = NOT (M1) is also stored in register 511. The content (a + b) of register 505 and the content M2 of register 511 are combined through a logical AND operation, so that (a + b) & M2 is stored in register 513 (corresponding to step 405). The content (a + b) & M2 of register 513 is shifted right by m = 2 bits, and the result is stored in register 513 (corresponding to step 405). The content c1 of register 509 and the content c2 of register 515 are added by addition, and the result is stored in register 517. The result is given by (2, 3, 2, 1, 0, 2, 3, 2, 0, 0) (vector display) and as expected, (2, 0, 2, 1, 0, 2, 0, 2, 0, 0).

In the above example, the carry is generated in three guard-bit positions (bit positions 8, 14 and 20) as shown in register 505 when adding the first binary data, a, the second binary data, b. The guard-bit position prevents the carry bit from affecting the value of an adjacent group of data bits. Thus, in this example, the guard-bit position (light shaded bit position) causes the operation to be performed in parallel on ten groups of data bits, where ten groups of data bits represent ten field coefficients.

In order to facilitate the explanation of the above operation, it is described that the binary results of the various steps shown in FIG. 5 are stored in registers which are individually identified. However, one of ordinary skill in the art appreciates that the various steps can be performed by reusing registers in a manner that overwrites previously stored binary data from earlier steps. For example, the first and second intermediate binary data c1 and c2 shown in registers 509 and 515 can be stored instead in registers 501 and 503 by overwriting the previously stored binary a and b, thus making the register space more efficient. Can be used as This completes the discussion of Example 1.

In another aspect of the invention relating to calculations involving field elements of odd odd finite fields in the case of p = 2 ^m −1, a hardware apparatus is provided for performing operations on the typical form of GF_p_k_ADD shown in FIG. 4. 6 is a functional block diagram of such a typical hardware device. In particular, the apparatus 600 shown in FIG. 6 generates the third binary data indicated by c in FIGS. 4 and 6, which can display the sum of the first field element and the second field element of GF (pk). Provide another way. In FIG. 6, the solid line represents the electrical connection to the flow of data, and the dotted line represents the electrical connection to the flow of the control signal. Intersecting solid lines are not connected unless they are marked with black spots such as connection point 623 at the intersection. Although the apparatus is described herein as a discussion relating to single-guard-bit notation, the apparatus 600 is equally applicable to multi-guard-bit notation as described below.

The device 600 includes a first register 601 and a second register 603 that hold first binary data (register content "a") and second binary data (register content "b"), respectively. The first binary data and the second binary data represent field elements of the finite field GF (p ^k ). Here, the first and second binary data in the first and second registers 601 and 603 are preconfigured to have zero at the guard-bit position, for example, as shown in FIG. 2A. The device comprises a combinational logic and clock element (clock / logic) 605, an add gate (+) 607 (also called an adder), a register 609 that holds the sum of register contents a and b, a first logic AND Gate (& 1) 611, mask register 613 for generating and maintaining a first predetermined binary amount M1 for input m, NOT gate (NOT) 615, and second logic ADN gate (& 2) 617. Also includes. The device 600 also includes an output register 621 that holds the right shift gate >> and the result “c”. Right shift gates are well known in the art, and such gates shift the value to the right by a selected number of bits and input that number of zeros into the most significant bit position. The clock / logic unit 605 has an output terminal (not shown) that allows a signal to be input to another hardware device, so that the calculation is completed by the other hardware device when the calculation in the device 600 is completed. Let this begin. For example, another hardware device may be another device 600 or multiplier device 1200 shown in FIG. 12 described below.

The operation of the apparatus 600 shown in FIG. 6 will be described. The first binary data representing the first field element of GF (pk) and the second binary data representing the second field element are the first register 601 and the second register via the lines labeled a and b. 603 is entered. It is assumed that the first and second binary data are preconfigured at zero in the guard-bit position (eg by a processor not shown). Binary data representing the amount m is also given to the right-shift gate (>>) 619. The mask resist 613 receives a first predetermined binary amount M1 (mask amount) from a processor (not shown). Where M1 is the amount of values as previously described. Alternatively, the mask register 613 may include circuitry for generating the quantity M1 for an input of binary data representing the quantity M. Making such a circuit is within the scope of those skilled in the art.

The calculation is initiated by the start signal at the input line specified by s. First and second binary data, binary data indicative of the amount m, and a start signal, for example, through a conventional routing circuit, such as a multiplication apparatus shown in FIG. 12 described below (not shown) Or other hardware device (not shown).

When the values of the first binary data and the second binary data in registers 601 and 603 are stable, the signal s1 locks the values in registers 601 and 603, respectively. Adder 607 adds the given values to the two inputs from registers 601 and 603. When the output of adder 607 is stable, the output from adder 607 is fixed in register 609 by the signal at the line designated by s2. The time required for a given value to stabilize in a given register can typically be determined from a circuit design perspective by one of ordinary skill in the art, and the locking signal (e.g., on lines s1 and s2) You can schedule the time to occur after this time. In this regard, the register 609 holds binary data displayed corresponding to the amount a + b shown in step 401 of FIG.

Binary data in register 609 is directed from register 609 to AND gate 611. The AND gate 611 performs a logical AND between the binary data from the register 609 and the mask amount M1 from the mask resist 613. The result of this logical AND operation is equivalent to the amount c1 shown in step 403 of FIG. The output from the first AND gate 611 is returned to the input of the first register 601 and another signal on the line designated s1 locks the value to the first register 601 as appropriate. In this regard, the signal at line s1 can be viewed as being timed properly so that it is not necessary to provide a multiplexer or switch at the specified point 623 to route the data output from the register 609. have. Of course, the device 609 may be provided with a multiplexer or switch at the point 623 for routing as needed.

As the operation described in the previous paragraph is executed, the next operation is executed at about the same time. The output from the register 609 is directed to the second AND gate 617 and the first predetermined binary amount M1 is directed to the logical NOT gate 615. The output of the logical NOT gate 615 is directed to the input of the second AND gate 617. Data at the input of this second AND gate 617 is combined through a logical AND operation to the right-shift gate 619. The right-shift gate 619 performs right-shift by m bits on data input from the second AND gate 617 in accordance with the input at the line designated m. The output of the right-shift gate 619 is directed to the input of the second register 603. The result of this group of operations, input into the second register 603, corresponds to the amount c2 mentioned in step 405 of FIG.

When the value of the binary data stored in the first and second registers 601 and 603 is stable, the signal s1 is fixed to the first and second registers 601 and 603 as this value. In this regard, the adder 607 adds binary data from the first and second registers 601 and 603 and outputs its output to the register 609. Binary data stored in register 609 is directed to output register 621, and the signal at line s3 locks the binary data to register 621 at the appropriate time. This binary data corresponds to the third binary data indicated by c in step 407 of FIG.

Those skilled in the art will appreciate that many variations of the device 600 are possible in accordance with the present invention. For example, each internal w-bit register 601, 603, 609, 613, and 621 can be replaced by multiple parallel (ie, coordinated) registers, at least one of which is at least two of the field elements. Maintain binary data representing coefficients. In addition, the first AND gate 611, the adder 607, the second AND gate 617, the NOT gate 615, and the right-shift gate 619, shown in FIG. 6, are each multiple parallel (ie, integrated). Can be replaced with copies.

In the apparatus 600 as described with reference to FIG. 6, the first and second binary data is input to the first and second registers 601 and 603, respectively, with a preconfigured zero value at the appropriate guard-bit position. do. The first and second binary data may be provided in such a configuration by the processor (not shown), for example, by inserting zeros at guard-bit positions where appropriate. Accordingly, the processor (not shown) and the first register 601 may be viewed as a means for storing first binary data, and the processor (not shown) and the second register 603 may store second binary data. It can be seen as a means. Register 521 and / or register 609 may also be viewed as a means for storing third binary data. In addition, the clock / logical element 605 and any or all of the remaining elements shown in FIG. 6 may be viewed as means for performing at least one operation on the first binary data and the second binary data.

By using the device 600 in accordance with a processor (not shown), the device 600 is flexible in using field elements for various choices of p and k for finite field GF (p ^k ). Where p is in the form of p = 2 ^m −1. In particular, the amount m is a variable and the right-shift gate 619 responds according to the input value of m. Further, the mask register 613 maintains an appropriate form of the first predetermined binary amount M1 depending on the amount m. The amount M1 is predetermined in that the amount m is selected at once, and the shape of the amount M1 follows directly as described above.

In another aspect of the invention, for situations where finite field GF (p ^k ) is wholly selected and remains unchanged, the device 600 may be modified, such as the hardware device 700 shown in the block diagram of FIG. . That is, as well as the selection of whether the notation is single-guard-bit notation or multi-guard-bit notation, the amounts m, p, and k are also fixed, and the hardware device 700 is dedicated to this selection. In such a situation, the hardware device 700 may receive initial binary data representing field elements. The initial binary data here is not composed of zeros in the guard-bit position. Rather, the hardware device 700 itself does not require a processor to configure the initial binary data to zero at the appropriate guard-bit position, thus to configure the first and second binary data to zero at the first guard-bit position. And generates first and second binary data. The hardware device 700 shown in FIG. 7 will be described.

The hardware device 700 shown in the functional block diagram of FIG. 7 shares various common features and operation forms with the device 600 shown in FIG. 6, and the same reference numerals are used for the same elements in FIGS. 6 and 7. Descriptions of aspects of device 700 that are common to device 600 are not repeated herein. Rather, aspects of device 600 and other device 700 will be discussed.

The device 700 has several features not found in the device 600. In particular, the device 700 has guard-bit-insertion circuits 701 'and 703' (GB insertion) and guard-bit-removal circuit 709 '(GB removal). A typical implementation of this circuit is shown in FIGS. 8A and 8B. As in FIG. 7, the guard-bit-insertion circuits 701 ′ and 703 ′ are functionally disposed at the input to the hardware device 700, and the guard-bit-removal circuit 709 ′ is coupled with the register 709. Functionally disposed between the output registers 721. The guard-bit-insertion circuits 701 'and 703' receive initial binary data a 'and b' corresponding to the first and second field elements of GF (p ^k ) (without guard bits), so that Operate to insert guard bits into the data. In other words, the guard-bit-insertion circuits 701 'and 703' store the initial binary data a 'and b' with first and second binary data with guard bits, in particular zero with guard-bit positions. Convert to binary data. The guard-bit-rejection circuit 709 'displays the calculation function without the guard bit by receiving the opposite function, i.e., receiving the third binary data c with the guard bit and removing the guard bit. To form the final binary data c '.

The device 700 lacks certain features present in the device 600 because such features are not needed in the device 700. In particular, the device 700 is missing an input line for the amount of m to the right-shift gate 719 and the mask register 713. This input line is not necessary to give m a fixed value. Rather, the right-shift gate 719 is initialized at one time to the m value to perform the appropriate right shift. Similarly, the mask resist 713 is initialized at one time with the appropriate form of M1. Conventional electrical connections are used to perform this initialization, not shown in FIG. Except for the difference in the above operations, the operation of the device 700 shown in FIG. 7 is almost similar to that described for the device 600 shown in FIG. 6.

As described above, in the apparatus 700, the first register 701 and the guard-bit insertion circuit 700 ′ may be regarded as a means for storing the first binary data. The second register 703 and the guard-bit insertion circuit 703 'can be viewed as a means for storing the second binary data. In addition, the register 709 can be viewed as a means for storing third binary data. In addition, the clock / logical element 705 and any or all of the remaining elements shown in FIG. 7 may be viewed as means for performing at least one operation on the first binary data and the second binary data.

The guard-bit-insertion circuits 701 'and 703' and the guard-bit-removal circuit 709 'mentioned in FIG. 7 will be described in more detail with reference to FIGS. 8A and 8B. The typical circuit shown in FIGS. 8A and 8B reflects a 32-bit resist configuration configured for field GF 7 ⁸ . However, the concept reflected in FIGS. 8A and 8B is generally applicable to other sizes of resist and other finite field GF (p ^k ). FIG. 8A shows a typical guard-bit-insertion circuit 800, which may be used for the guard-bit-insertion circuit (GB insert), denoted by reference numerals 701 'and 703', respectively, in FIG. As shown in FIG. 8A, the circuit 800 includes a first register 801 having a plurality of bit positions 803 (eg, 32 bits). The circuit 800 has a plurality of groups 807 of bit positions and a plurality of guard-bit positions 809 (light shaded areas) for storing binary data indicating field coefficients of field elements of GF (pk). Having a register 805. The circuit 800 is configured to route data from registers 801 to register 805 in a manner that imparts a guard-bit position 809 adjacent to the most significant bit position of the 3-bit position 807 of the previous group. It also includes a connection 811. Guard-bit position 809 is electrically grounded to provide zero for this bit value, but this electrical connection is not shown in FIG. 8A. Such a circuit can be formed using, for example, conventional lithographic techniques.

In this manner, the bit position of each 3-bit group 807 in register 805 can store binary data representing the coefficients of the field elements of GF 7 ⁸ , and each group 807 in register 805. ) Is separated from the bit position of the adjacent group 807 by a single guard bit 809. Thus, the guard-bit-insertion circuit 800 inserts the guard bits between groups of data bits representing the coefficients of the field elements so that the initial binary data representing the coefficients of the field elements is in parallel from register 801 to register 805. To be delivered.

Likewise, a typical guard-bit-removal circuit 820 is shown in FIG. 8B for a 32-bit GF 7 ⁸ . As shown in FIG. 8B, the guard-bit-removal circuit 820 is a mirror image of the guard-bit-insertion circuit 800 shown in FIG. 8A. The guard-bit-removal circuit 820 consists of a resistor 825, a resistor 821, and a number of electrical connections 831. The register 825 includes the bit positions of the plurality of groups 827 and the plurality of guard-bit positions 829, each guard-bit position located adjacent to the most significant bit of the bit positions of a given group 827. . As shown in FIG. 8B, electrical connection 831 is a binary data representing field coefficients of field elements stored in register 825 in such a way as to remove guard bits between adjacent groups of data bits representing field coefficients. Is configured to be passed to register 821. This completes the discussion of FIGS. 8A and 8B.

Multiplication using single-guard-bit notation

According to another aspect of the present invention, the typical form of GF_p_k_MUL for single-guard-bit notation is described to calculate the product of two field elements α _i and β _i (not zero) in GF (p ^k ). The case where one field element is zero is not important and need not be explained. This discussion is applicable to p written in functional forms p = 2 ^m −1, p = 2 ^m +1, p = 2 ^m −d and p = 2 ^m + d.

As discussed earlier in relation to Equations 9-12, multiplicative groups are periodic, so that any other non-zero field element can be written as g ^x for any integer x <p ^k . You can find element g. Thus, not only the corresponding anti-log, but also the discrete log of all field elements can be pre-computed at once, and a "look-up" table can be used to calculate the product of two field elements. Similarly, in connection with the present invention for binary data " a &quot; representing any α i according to single-guard-bit notation (when a guard bit of zero value is located at bit position v (m + 1) -1, Where v = 1, 2, ..., k, i.e., all consecutive m-th bit positions), the following relation can be applied.

(16)

(17)

Here, 0 ≦ x <p ^k such that g ^x = a _j . Thus, in single-guard-bit notation, the multiplication of the field elements of GF (p ^k ) can be established according to the following relationship.

(18)

Here, "a" is the first binary data (register content) stored according to the single-guard-bit notation representing the first field element, and "b" is the single-guard-bit notation representing the second field element. Second binary data (register content) stored accordingly, " c " is third binary data (register content) indicating a third field element equal to the product of the first and second field elements. For example, by using the algorithms PRODUCT (α, β) and GF_p_k_MUL described earlier notation, "a" is a field element α _j can be displayed, "b" is GF (p ^k) of GF (p ^k) of The field element β _ij can be displayed. Thus, in the single-guard-bit notation according to the present invention, the product of two field elements of GF (p ^k ) can be calculated using only three look-up tables and modular addition.

According to a typical aspect of the present invention, the system 100 shown in FIG. 1 can be used to implement the above method for multiplication of field elements. In particular, the system 100 may be configured such that the processor 105 executes the typical series of steps shown in FIG. 9 to generate third binary data referenced in step 305 of FIG. 3. Steps 301 and 303 shown in FIG. 3 are performed by storing first binary data representing a first field element of GF (pk) in a first register (e.g., register 107 of FIG. 1) and indicating a second field element. Assume that the second binary data has been executed in advance by the processor 105 such that the second binary data is stored in a second register (eg, register 109). The steps shown in FIG. 9 indicate a typical implementation of step 305 shown in FIG. The method 900 shown in the flow chart of FIG. 9 is described.

9 is a flowchart showing the steps performed by the processing unit 105 for processing the first and second binary data to generate third binary data indicating the product of the first and second field elements. As in step 901 of FIG. 9, the processor determines the amounts of DLOG (a) and DLOG (b). Here, "a" indicates the contents of the first register and "b" indicates the contents of the second register. In step 901, the DLOG operation indicates a look-up operation from the look-up table of the discrete log in binary form of the non-zero field element of GF (p ^k ). The look-up table of the discrete log may be stored in the memory 101 shown in FIG. An example of a simple look-up table for the DLOG operation on GF (p ^k ) is shown in FIG. 10A. The look-up table of FIG. 10A is described in more detail below.

In step 903, the processing unit 105 executes addition of the amounts of DLOG (a) and DLOG (b) and reduces the result of this addition as modulo (p ^k −1). In step 905, the processing unit 105 determines the amount ANTILOGDLOG (a) + DLOG (b)) mod (p ^k -1)}. The ANTILOG operation indicates the lookup operation from the anti-log look-up table, where ANTILOG (x) = g ^x and g is the constructor of GF (p ^k ). An example of a simple look-up table for the ANTILOG operation on GF (p ^k ) is shown in FIG. 11A. The look-up table in FIG. 11A is described in more detail below. The result of the operation described in step 905 is the third binary data referred to in step 305 of FIG. 3 to indicate the third field element, which in this example is the product of the first and second field elements.

A typical look-up table of discrete log and anti-log described above for single-guard-bit notation is described. For simplicity, the lookup table of the discrete log is referred to herein as the DLOG table, and the lookup table of the anti-log is referred to herein as the ANTILOG table.

As an example, the DLOG table is indexed by binary data corresponding to field elements of GF (pk), where the binary data can be viewed as a memory address. This kind of DLOG table is referred to herein as a "directly addressed" DLOG table, and uses contiguous binary data corresponding to field elements as memory addresses. For p = 2m-1, for example, the DLOG table. Is indexed (addressed) by a k (m + 1) -bit binary string, whereas the highest guard bit of the binary data representing each field element is not used for addressing (the highest guard bit is a table). The DLOG table may be indexed using a binary string k (m + 1) -1 bits in length, if the top guard bit is not used for addressing, the size of the DLOG table is an argument. Can be reduced to 2. If the binary data representing a field element is a (t) (where t is a polynomial variable in polynomial basis notation), then the DLO at the address corresponding to a (t) The corresponding look-up value from G is the integer "x", where x = DLOGa (t) The single-guard-bit notation of a field element allows the guard bit to be assigned to every mth bit so that the guard-bit (all k In the direct address DLOG table for p = 2 ^m -1, for the guard bits), there are only 2 ^km related entries in the DLOG table actually used during the lookup. t) The quantities are zero in the guard-bit position, and the entirety of these DLOG tables is 2 ^{k (m + 1)} reserved memory locations (if indexed using binary string k (m + 1) bits in length ⁾ . Rows) or 2 ^{k (m + 1) -1} rows, if indexed using the binary string k (m + 1) -1 bits in length, that is, the field element a (t) ( Rows in direct address DLOG tables with memory addresses ("1") at any guard-position are not used. Do not.

For example, if k = 8 and p = 3 (ie m = 2), the elements of each field are represented as 24-bit strings (with zeros in each third bit position), so the DLOG table is 8 Indexed by a string of (2 + 1) = 24 (equivalent to 8 (log ₂ (3) +1)). In this example, there are 2 ²⁴ reserved memory locations in the DLOG table, but since the look-up is only handled for the address corresponding to the field element, i.e. the string whose guard-bit position is zero, only one in all 256 is actually accessed data. It will include. In the example above, there are k = 8 guard-bit positions, and at all 28 (= 256) only one table index is used for the actual table look-up. However, for ordinary k and m (eg k (m + 1) <25), it is also convenient in many cases to realize the look-up table in this way.

As noted above, the most significant guard bit is not needed to index the address DLOG table directly, and this investigation saves factor 2 in the size of the DLOG table. As explained below, for p in the form p = 2 ^m +1, P = 2 ^m -d and p = 2 ^m + d where d> 1 and d are odd, each coefficient of the field element is p = Instead of m bits for 2 ^m −1, they are indicated using m + 2, m + 1 and m + 2 bits of binary data (not including guard bits), respectively. Therefore directly address DLOG table for p = 2 ^m -1 and other forms of p is considerably greater than the direct address DLOG table for p = 2 ^m -1 in the form of p.

A typical DLOG table 1000 representing the above concept of single-guard-bit notation is shown in FIG. 10A for the simple case of GF (3 ² ) where p = 2 ^m −1 for m = 2. . The example of FIG. 10A is constructed for GF (3 ² ) using the constructor g (t) = t and the contract polynomial p (t) = t ² + t + 2. Such a DLOG table can be realized in, for example, an 8-bit, 16-bit, 32-bit, or the like structure. As described above, selecting the appropriate constructor and contract polynomial for a given finite field GF (p ^k ) is within the scope of those skilled in the art.

The typical DLOG table 1000 shown in FIG. 10A includes a memory address 1001 corresponding to field element a (t) in binary form and a stored value 1003 corresponding to an associated integer x in binary form. The typical DLOG table 1000 also includes 2 ^{k (m + 1)} = 2 ⁶ = 64 rows (entries) 1005. In the example of FIG. 10A, each memory address comprises a k (m + 1) +2 (2 + 1) = 6-bit string, and the left-most bit of each memory address 1001 is a corresponding field. Corresponds to the most significant guard bit of the element. This most significant guard bit can be removed from memory address 1001 if necessary, causing DLOG table 1000 to be indexed by the binary string k (m + 1) -1 bits in length.

The memory address 1001 includes a group of data bits corresponding to the coefficients of the field elements in the manner described above. Each memory address 1001 further includes a plurality of guard bits 1005.

The stored value 1003 of the DLOG table 1000 is shown to be functionally adjacent to the memory address 1001 for illustration purposes. Each stored value 1003 contains binary data representing the integer x described above. Reference information 1050 is provided in FIG. 10B in a manner that sorts the information in the DLOG table 1000 shown in FIG. 10A in rows. The reference information 1050 of FIG. 10B is not a part of the DLOG table 1000, but represents the relationship between the binary information shown in the DLOG table 1000 and the field element a (t) in the form of polynomial and the actual integer value (x). It is to make it convenient to reflect. Several blank entries marked with "-" are in the "x" and "a (t)" columns of both Figures 10B and 10A. This blank entry has two causes. First, some blank entries reflect the fact that there is no integer x that satisfies g ^x = 0 for the field element “0” (a (t) = 0), as is well known in the art. Another blank entry corresponds to memory address 1001 having a "1" at any corresponding guard-bit position. As noted above, such an entry is not used in a typical DLOG table 1000.

In the example of direct addressing described above, the DLOG table 1000 has a reserved memory location that does not use look-up operations corresponding to the two kinds of blank entries described above. Most of these blank entries are associated with memory addresses with a "1" at some guard-bit position. However, compact DLOG tables can be realized without such blank entries. For example, instead of associating field elements with contiguous memory addresses, binary data representing field elements having only zeros at guard-bit locations may be stored in the DLOG table. The corresponding value for x = DLOG (a (t)) may be stored in the DLOG table. Stored a (t) entries and x entries can be associated with each other to return the look-up of a given a (t) entry to its corresponding x entry. This method does not have the simplicity of using contiguous binary data corresponding to a (t) entries as addresses, but has the advantage of requiring a small memory space.

In one aspect of the present invention, as described below, multi-guard-bit notation is used to obtain a compact table without significantly complicating the look-up. In general, such a compact DLOG table consists of 2 ^{km + 1} reserved memory locations (eg, 2 ^km rows with 2 entries per row), all of which can be used for look-up operations. Alternatively, if the most significant guard bit is removed, such a compact DLOG table can realize a 2 ^km reserved memory location. In comparison, the direct address DLOG table contains 2 ^{k (m + 1)} reserved memory locations (or 2 ^{k (m + 1) -1} reserved memory locations if the most significant guard bit is removed). Thus, using a compact DLOG table can be useful for calculations involving relatively large field elements (e.g., field elements represented by more than 25 bits of binary data including guard bits).

A typical aspect of the ANTILOG table according to the present invention is described. The ANTILOG table according to the present invention is similar to the above-described DLOG table. In particular, the ANTILOG table also contains binary information indicating the amount of x and a (t). However, the ANTILOG table is indexed (addressed) by binary data representing the amount x = DLOG (a (t)). Thus, for the memory address corresponding to the given x value, the look-up amount is a (t) = ANTILOG (x). Given that the ANTILOG table is indexed by x instead of a (t) (for DLOG tables), the ANTILOG table is considerably smaller than the corresponding DLOG table. In particular, the ANTILOG table has a p ^k -1 reserved memory location, regardless of the function form of p. p ^k reserved memory locations instead of the fact that the p ^k -1 reserved memory locations takes place from the fact that there is no integer x corresponding to the field elements ^{a (t) = g x =} 0.

As a typical ANTILOG table, p = 2 ^m −1 and m = 2 and a simple case of GF (3 ² ) for single-guard-bit notation is shown in FIG. 11A. The example of FIG. 11A was constructed for GF (3 ² ) using the generator g (t) = t and the contract polynomial p (t) = t ² + t + 2. Such an ANTLOG table can be realized in, for example, an 8-bit, 16-bit, 32-bit, or the like structure. The typical ANTILOG table 1100 shown in FIG. 11A includes a memory address 1101 corresponding to an integer x in binary form and a stored value 1103 corresponding to an associated field element in binary form.

The memory address 1101 of the typical ANTILOG table 1100 is shown in FIG. 11A to be functionally adjacent to the stored value 1103 for purposes of illustration. Each stored value 1103 includes a group of data bits representing the coefficients of the field elements in the manner described above. Each stored value 1103 further includes a number of guard bits 1105 with an entry of zero.

In a manner similar to that shown in FIG. 10B, reference information 1150 is provided in FIG. 11B in a manner that sorts the information in the ANTILOG table 1100 shown in FIG. 11A through the rows. The reference information 1150 of FIG. 11B is not a portion of the ANTILOG table 1100, but represents the relationship between the binary information shown in the ANTILOG table 1100 and the field element a (t) in polynomial form and the actual integer value x. It is to make it convenient to reflect.

As noted above, the DLOG and ANTILOG tables according to the present invention may be stored using any suitable hardware structure (eg, 8-bit, 16-bit, 32-bit, etc.). Further, as described above, the direct address DLOG table can be realized as continuous binary data indicating field elements used as memory addresses. Alternatively, the compact DLOG table can be realized without using direct addressing as described above. These compact DLOG tables use less memory space, but cannot be directly indexed by binary data representing field elements, and require more time-consuming table look-ups for compact DLOG tables. However, the multi-guard-bit notation described below can provide a notable DLOG table that allows for direct addressing and can respond to table look-ups with only a very small reduction in efficiency (approximately a factor of 2 ^k smaller). .

The memory required for the direct address look-up table for single-guard-bit notation for p = 2 ^m −1 is: For a direct address DLOG table, each row contains a binary form of size k * log ₂ (p) ≒ km bit integer (x) (not including the highest guard bit), and the table corresponds to a field element ( k-1) (m + 1) + m = k (m + 1) -1 Indexed by a binary string. Thus, the size of the DLOG table is approximately km2 ^{k (m + 1) -1} . For the ANTILOG table, each entry contains at most a k (m + 1) -bit string and there is a p ^k-1 entry. Thus the magnitude is k (m + 1) (p ^k −1) bits, which is approximately equal to k (m + 1) 2 ^km bits. Therefore, the DLOG table is approximately 2 ^k-1 larger than the ANTILOG table.

It is possible to reduce the table size even further (for single-guard-bit notation and multi-guard-bit notation) at the expense of performing the bulk multiplication. For example, Karatsuba's method of multiplying polynomials of order k described above replaces a single multiplication of two order-k polynomials with three multiplications (each containing polynomials of degree k / 2). It will be understood by one of ordinary skill in the art that the above-described typical multiplication according to the present invention can be similarly modified to use a smaller size table that combines with more table look-ups. For example, if the table size for performing typical multiplication according to the invention described above is S, the above modification using a table of size S ^1/2 may be made in combination with three times as many table look-ups. Despite the cost increase in table lookup, this method may be desirable in a memory-limited environment.

In view of the above discussion regarding GF_p_k_MUL and the corresponding DLOG and ANTILOG, it can be said that the above-described typical method of performing the multiplication of the field elements of GF (p ^k ) according to the present invention is significantly different from the conventional method. First, compared to the method for a finite binary field having a surface p = 2, the method stores binary data representing field elements differently using guard bits. Thus, the DLOG and ANTILOG tables according to the present invention have guard bits as shown in FIGS. 10A and 11A, whereas the look-up table of the conventional method including binary finite fields does not have (or need) guard bits. Do).

In addition, compared to the conventional method for the multiplication of field elements of odd-numbered finite fields, the method achieves multiplication operations with significantly fewer operations. In particular, in the extended field GF (p ^{l k} ) described above in the discussion of SUM (α, β) and PRODUCT (α, β), each element of the extended field is represented by a vector of length l (polynomial), where The components (coefficients) are stored according to single-guard bit notation. Multiplying two elements in an extended field requires approximately 3 l ² operations rather than the ( l k) ² operations required by conventional methods. Thus, even with a relatively small value k, a significant increase in the calculation speed can be achieved.

In another aspect of the present invention relating to the multiplication of field elements of odd-number finite fields, a dedicated hardware device for performing the operation of GF_p_k_MUL shown in FIG. 9 may be provided. 12 is a functional block diagram illustrating such a hardware device. In particular, the exemplary apparatus 1200 shown in FIG. 12 is another method of generating third binary data capable of displaying the product of the first and second field elements of GF (p ^k ), denoted c in FIG. 4. To provide. In FIG. 12, the solid line represents the electrical connection to the flow of data, and the dotted line represents the electrical connection to the flow of the control signal. Although the device 1200 is described as a discussion according to single-guard-bit notation, the device 1200 can be similarly applied to the multi-guard-bit notation described below. The device 1200 is also independent of the form of surface value p (ie, p = 2 ^m ± 1 or P = 2 ^m ± d).

The device 1200 includes a first register 1201 and a second register 1203 that hold first binary data (register content "a") and second binary data (register content "b"), respectively. The first binary data and the second binary data represent field elements of the finite field GF (p ^k ). Here, assume that the first and second binary data in the first and second registers 1201 and 1203 are already configured to zero at the appropriate guard-bit position. However, guard-bit insertion and removal circuits as described with respect to FIGS. 7 and 8 may be included if desired, so that initial binary data can be entered into the device 1200 without guard bits. The apparatus 1200 also includes a combinational logic and clock element (clock / logic) 1205, a first multiplexer (MUX1) 1207, a DLOG look-up memory 1209, and an ANTILOG look-up memory 1211. . DLOG and ANTILOG look-up memories can be realized using, for example, random access memory (RAM) or flash memory. The device 1200 includes a register 1213 holding a binary amount DLOG (a), a register 1215 holding a binary amount DLOG (b), an add gate (+) 1217 (also called an adder), and examples It also includes a register 1219 that holds an integer value p ^k -1 in binary form, for example, received from the processor. Alternatively, specific circuitry may be provided with register 1219 that generates a p ^k- 1 value for input of values for p and k. The configuration of this particular circuit is within the scope of one of ordinary skill in the art. The device 1200 also includes a modulo arithmetic circuit (MOD) 1221 that calculates the remainder of the input amount divided by p ^k -1, provided by the register 1219. The circuit 1221 can be conventional modular computing hardware known in the art so no further explanation is required. The device 1200 further includes a second multiplexer (MUX2) 1223 and an output register 1225 that holds the third binary data “c” that is the result of the calculations within the device. The clock / logic unit 1205 has an output terminal (not shown) for inputting a signal to another hardware device to start the calculation in another hardware device when the calculation in the device 1200 is finished. For example, another hardware device may be another device 1200 or adder device 600 as shown in FIG.

The operation of the typical device 1200 shown in FIG. 12 will be described. First, DLOG look-up memory 1209 and ANTILOG look-up memory 1211 are initialized at one time with the appropriate discrete log and anti-log data. This provides an initial programming signal to the clock / logic unit 1205 via a line designated as s, while simultaneously providing discrete log and anti-log data to the DLOG look-up memory 1209 and ANTILOG look-up memory 1211. And via an external data bus specified as eD2, respectively. At the same time, address data is provided to the DLOG memory 1209 and the ANTILOG memory 1211 by the external address buses eA1 and eA2 via MUX1 1207 and MUX2 1223, respectively. As mentioned above, the look-up memories 1209 and 1211 can be realized with, for example, RAM or flash memory. Alternatively, if the device 1200 is dedicated to specific values of p and k, the look-up memories 1209 and 1211 can be realized using ROM, and preliminary calculation of discrete log and antilog data is performed at one time. It can be executed and loaded into the ROM at the manufacturing stage.

When the look-up memories 1209 and 1211 are initialized, the first register 1201 is on the line designated as a and b by the first binary data representing the first field element and the second binary data representing the second field element. And second registers 1203, respectively. It is assumed that the first binary data and the second binary data are preconfigured to zero at the appropriate guard-bit position. In contrast, the guard-bit-insertion circuitry, as described with respect to FIGS. 7 and 8, may have appropriate guard bits before loading the first and second binary data into the first and second registers 1201 and 1203, respectively. It can be used to insert. Binary data representing the amount of p ^k -1 is input to register 1219 via a line specified by "p ^k -1". For example, the first binary data, the second binary data, the discrete log and anti-log data, and the binary data indicating the p and k amounts are a processor (not shown) or one or more hardware devices (not shown). Can be provided. For example, an adder 600 as shown in FIG. 6 or 7 may be used to provide at least some of this data (eg, first binary data and second binary data) via conventional routing circuitry. Can be.

As shown in Fig. 12, the calculation is initialized by the start signal through the line designated by s. The initiation signal may be provided from a processor (not shown) or one or more hardware devices (not shown). If the values of the first binary data and the second binary data in the registers 1201 and 1203 are stable, the signal s1 fixes these values in the first and second registers 1201 and 1203, respectively. If the values of the binary data representing the p ^k -1 amounts in the register 1219 are stable, then the signal s5 fixes these values in the register 1219. Signal s2 is input to MUX1 1207 which passes the content a of first register 1201 to DLOG memory 1209 and connects to DLOG memory 1209. When the output value from the DLOG memory is stable, the output value is fixed to the register 1213 by the signal s4. The register 1213 holds the value of DLOG (a). Another signal s2 is input to MUX1 1223 which passes the content b of second register 1203 to DLOG memory 1209 and connects to DLOG memory 1209. When the output value from the DLOG memory is stable, the output value is fixed to the register 1215 by the signal s3. The register 1213 holds the DLOG (b) value. Adder 1217 calculates an integer sum of the contents of registers 1213 and 1215 and sends the result to modulo arithmetic circuit (MOD) 1221, which is available from register 1219 p ^k -1. Calculates the remainder of the value entered when divided by a quantity. The output from MUX2 is input to ANTILOG memory 1211 and connected to ANTILOG memory 1211. When the output value from the ANTILOG memory 1211 is stable, the output value is fixed to the register 1225 by the signal s6. The register 1225 maintains the value ANTILOG (DLOG (a) + DLOG (b)) mod (p ^k −1) in single-guard-bit notation, which may be used for output as register content c. However, if necessary, a guard-bit-removal circuit as shown in FIGS. 7 and 8 may be disposed between the ANTILOG memory 1211 and the register 1225 to remove the guard bit from the calculation result. This completes the description of the typical multiplication apparatus 1200 shown in FIG.

In the device 1200 described above, the first register 1201 and a processor (not shown) can be viewed as a means for storing first binary data. Alternatively, the first register 1201 and the guard-bit-insert circuit (not shown) can be viewed as a means for storing the first binary data. The second register 1203 and the processor (not shown) can be viewed as a means for storing the second binary data. Alternatively, the second register 1203 and the guard-bit-insert circuit (not shown) can be seen as a means for storing the second binary data. In addition, register 1225 can be viewed as a means for storing third binary data. In addition, the clock / logical element 1205 and any or all of the remaining elements shown in FIG. 12 may be viewed as means for performing at least one operation on the first binary data and the second binary data.

Addition using multi-guard-bit notation, p = 2 ^m -1

A typical aspect of the invention relating to the addition of field elements in the case of p = 2 ^m −1 is described in multi-guard-bit notation. It is assumed here that the present invention is implemented using a hardware structure that operates for at least 2km bits (ie, the resist is at least 2km bits in size). The invention according to the multi-guard-bit notation can be realized, for example, using the system 100 shown in FIG. 1 described above. In addition, the dedicated hardware devices described above and shown in Figures 6, 7, 8, and 12 may be used to implement the present invention in accordance with multi-guard-bit notation. Such devices are not described again here. However, appropriate modifications to the apparatus shown in Figures 6, 7, 8, and 12 for multi-guard-bit notation will be described below whenever necessary.

The notation of field element GF (p ^k ) in multi-guard-bit notation has already been described in the discussion relating to the example of FIG. 2C. As in that discussion, the elements of a finite field are stored as binary strings, but instead of having only one guard-bit position between adjacent groups of data bits representing the coefficients of the field elements, they represent the field coefficients of the field elements. Multiple guard bit positions (eg m guard-bit positions) are provided between adjacent groups of bit positions that allocate binary data to be stored. For example, as shown in FIG. 2C for GF (3 ⁸ ), eight groups of bit positions 221-r (non-shaded bit positions) are the field coefficients α _{7, i} , ..., α _{1, i} , α Allocated to store binary data representing _{0, i} and adjacent groups of bit positions 221-r are separated by groups of two guard-bit positions 213-r (light shaded bit positions). Fraud guard-bit positions are initialized such that each contains a binary value of zero.

For p = 2 ^m −1 a typical form of implementation of GF_p_k_ADD for field GF (p ^k ) describes multi-guard-bit notation. In order to perform the addition of the two field elements α _i and β _i using the first and second binary data stored in the first and second registers according to the multi-guard-bit notation, the operation associated with GF_p_k_ADD is performed in a single-guard- It is in principle the same as for bit notation. Only the number of guard-bit positions between the adjacent group of data bits indicating the field coefficient and the form of the first and second predetermined binary amounts M1 and M2 is changed. If multiple guard-bit positions (eg, "m" guard-bit positions) are configured between adjacent groups of data bits associated with field coefficients, the method proceeds as described above with respect to FIG. That is, a value of zero at a bit position corresponding to the bit position of the first guard bit in the first register and an amount of 2 ^m −1 at the bit position corresponding to the bit position of the first group of data bits in the first register M1 is assigned to have a binary value. M2 is given by M2 = NOT (M1). At this time, in a manner similar to that described for the single-guard-bit notation, the third binary data representing the sum of the first and second field elements of GF (p ^k ) is generated by performing the operation in Equation 19. can do.

(19)

Where a and b indicate the contents of the first and second registers, respectively, in which the first and second binary data are stored according to the multi-guard-bit notation, and c is the third binary stored according to the multi-guard-bit notation. Display the result of the contents of the third register holding the data. A description of how to correctly provide third binary data representing a third field element of GF (p ^k ) equal to the sum of the first and second field elements is described in the above description of the single guard-bit notation and The same thing is not repeated here.

As mentioned above, the hardware devices shown in Figs. 6 and 7 can be used to implement the present invention in accordance with multi-guard-bit notation. It is not necessary to modify the device 600 shown in FIG. 6 here. The first and second binary data are stored in the first and second registers 601 and 603 according to the multi-guard-bit notation, and the first and second predetermined binary amounts M1 and M2 are configured as described above. You just need to know.

For multi-guard-bit notation, the guard-bit-insertion circuits 701 'and 703' and the guard-bit removal circuit 709 'replace a single guard bit between groups of data bits that represent the coefficients of the field elements. A modification to the addition device 700 shown in FIG. 7 is needed, in that it must be configured to insert multiple guard bits into the. In this regard, the typical guard-bit-insertion circuit 800 shown in FIG. 8A can be configured to replace the electrical connection 811, where one or more guard-bit positions 809 without the electrical connection 811 are registered. It is inserted between bit positions of the adjacent group at 805. Likewise, the typical guard-bit-removal circuit 820 shown in FIG. 8B can be configured to replace the electrical connection 831, so that one or more guard-bit positions (between adjacent bit positions in the register 825) ( 809) is removed. With this modification to the multi-guard-bit notation, the operation of the apparatus 700 shown in FIG. 7 becomes the same as described above.

Multiplication using multi-guard-bit notation

A typical form of implementation of GF_p_k_MUL for field GF (p ^k ) describes multi-guard-bit notation. This discussion is applicable to p given as a function of p = 2 ^m ± 1 and p2 ^m ± d. The difference caused by the difference in function form of p depends only on the number of bits used to store the binary data representing the given coefficients of the field elements and how many bits are allocated in the ANTILOG table for each coefficient of the field elements. Related. This difference will be explained in more detail below. The current discussion proceeds to the case of p = 2 ^m −1 where m bits are used to store each coefficient of the field element, but this discussion is also applicable to the other functional forms of p described above.

In a first typical implementation of GF_p_k_MUL for multi-guard-bit notation, a compression function is used to more efficiently use the memory space allocated for the DLOG and ANTILOG tables. This method uses direct address DLOG and ANTILOG tables in a somewhat similar manner as described above for single-guard-bit notation, but the form of direct address DLOG and ANTILOG tables is different. In particular, to save the memory space allocated for the DLOG and ANTILOG tables, the DLOG and ANTILOG are configured without guard bits (making them a combined size of about km2 ^km bytes). For the direct address DLOG table, if the binary data corresponding to the field element is used as the memory address, removing the guard bits from the DLOG table means that the total number of consecutive memory addresses is reduced. Thus, the number of reserved memory locations is reduced. For ANTILOG tables that are directly addressed and use binary data representing the integer x = DLOG (a (t)) as a memory address, removing the guard bit is for storing binary data representing the field element a (t). By reducing the number of bits used, the required memory is reduced. To use this table, binary data representing the field elements of GF (p ^k ) stored in multiple guard notation is compressed before performing a DLOG table lookup. The resulting binary data is also decompressed after performing the ANTILOG table look-up. This will be described in more detail.

It is assumed herein that field elements are stored according to a multi-guard-bit notation with guard bits between adjacent groups of data bits representing coefficients of field elements. However, the method is not limited to m guard bits between adjacent groups of data bits, and modifications to m guard bits and other multiple guard bits between adjacent groups of data bits may also be apparent from the discussion below. Let t = INT (k / 2), where INT (k / 2) is an integer value of k / 2 rounded down to the nearest integer. Compression can be performed on register content a, stored in multi-guard-bit notation using the following compression function (COMP).

20

Since M3 is a predetermined binary amount representing a value of 2 ^km −1, COMP (a) has a km bit. (In Equation 20, XOR can be replaced by a bitwise OR-operation.) The COMP function performs a bit-position on a group of data bits representing field coefficients (i.e., related information-carrying data). Reserved guard-bit-position block [(2 (jt) +1) m, ..., (2 (jt) from block [2jm, ...., (2j + 1) m-1, where j≥t] ) +2) m-1]. This is illustrated by way of example in FIG. 13, which shows mapping the bit positions from the register 1301 to the bit positions of the register 1302. Here the decompressed data in register 1301 is compressed into register 1302. Slanted dashed line 1303 indicates the mapping of the shifted bit-position block to its original position. Vertical dashed line 1304 represents the mapping of the unshifted bit position block to its original position. As shown in FIG. 13 for the case of GF (3 ⁸ ) where t = 4 and m = 2 (since p = 2 ^m −1), as an example for j = t = 4, bit position 16 (ie 2jm) And data at 17 (ie, (2j + 1) m-1) is in bit positions 2 (ie (2 (jt) +1) m) and 3 (ie (2 (jt) +2) m-1 ). Other data blocks are mapped as well. Thus, there is no group of data bits representing the coefficients of the field elements that are lost in the above operations. The direct address DLOG table may be configured such that the memory address corresponds to the COMP value of the relevant field element for fast look-up. The direct address ANTILOG table stores the COMP value of binary data representing field elements. In addition, every entry in the DLOG and ANTILOG tables contains relevant (ie information-passing) data. Therefore, there is no empty or unused space in the DLOG and ANTILOG tables.

Decompression of compressed binary data can be performed using the decompression function (DECOMP) in a similar manner. A predetermined binary amount of 1 in bit position 2jm, 2jm + 1, 2jm + 2, ..., (2j + 1) m-1 (where j = 0, 1, ..., k-1) and 0 otherwise Is called M4. At this time

(21)

Where again the XOR may be replaced with << (2t-1) m indicating a bitwise OR-operation and left shift by (2t-1) m bits. The mask M4 will confirm that the guard-bit position contains only zeros. After a table look-up using the ANTILOG table is performed, the value is decompressed by the DECOMP function described above. Therefore, a and b representing the first and second field elements α _i and β _i of GF (p ^k ) are stored according to the first and second binary data (first and second registers) stored according to the multi-guard-bit notation. Register content), the full multiplication of α _i and β _i in GF (p ^k ) can be achieved by performing the operation given in equation (22).

(22)

Where c is third binary data that may be stored in a third register and represent a third field element that is equal to the product of the first and second field elements. Thus, in order to effectively execute k ² multiplication in parallel, 9 high speed operations and 1 modular addition can be performed. By executing GF_p_k_MUL in this typical manner, the algorithms PRODUCT (α, β) and REDUCE (δ, f) described above make it easy to compute in an extended field in the form of GF (p ^{l k} ).

In a second typical implementation of GF_p_k_MUL for multi-guard-bit notation, one can multiply the field elements of GF (p ^k ) without using the above compression and decompression functions. In this typical method, the operation associated with GF_p_k_MUL is in principle identical to that for the single-guard-bit notation described above with respect to FIGS. 9-12. Only the number of guard-bit positions between adjacent groups of data bits representing field coefficients in a given register and the shape of the DLOG and ANTILOG tables 1000 and 1100 are changed. In this regard, field elements are stored according to the multi-guard-bit notation described above and shown, for example, in FIG. 2C. The DLOG and ANTILOG tables are also similar in shape to the typical tables shown in Figs. 10A and 11A, respectively, but are modified to provide one or more guard-bits between adjacent groups of data bits representing field coefficients. For example, the typical DLOG table 1000 shown in FIG. 10A is a multi-guard-bit by providing one or more guard bits 1009 (eg, m guard bits) between adjacent groups of data bits 1007. Can be modified for notation. Likewise, the typical ANTILOG table 1100 shown in FIG. 11A uses a multi-guard-bit notation by providing one or more guard bits 1109 (eg, m guard bits) between adjacent groups of data bits 1107. Can be modified. With this modification, multiplication in multi-guard-bit notation can be performed in the same manner as described above with reference to FIGS. 9-12. Of course, this present method does not have the advantage of saving memory space as described above with respect to the form of GF_p_k_MUL for multi-guard-bit notation using compression and decompression functions.

Another calculation using single / multiple guard-bit notation, p = 2 ^m -1

Several other operations that are easily implemented using single and / or multiple guard-bit notations are described. First, scalar multiplication can be easily performed using multi-guard-bit notation. Scalar multiplication, i.e. multiplying some γ by GF (p ^k ) by element α _i = (α _{k-1, i} , ..., α _{1, i} , α _{0, i} ) in ground field GF (p), You can run it in multi-guard-bit notation without using any tables. It is desirable to calculate the next amount.

(23)

As described in Seminumerical Algorithms mentioned earlier, for p = 2 ^m -1, the multiplication modulo p of two binary quantities u and v (assuming both are in the range 0, 1, ..., p) is Can be executed according to a relational expression.

24, 25

It is clear that uv <2 ^m since u <2 ^m and v <2 ^m . Binary data representing α stored in the first register according to the multi-guard-bit notation is u, and binary representing γ (element of GF (p)) stored in the second register according to the multi-guard-bit notation. The data is called v. Where v has a binary value indicating the amount of γ at the right-upper bit position and zero otherwise. In other words, v can be viewed as binary data indicating the vector amount, and the vector amount is (0, 0, ..., γ). At this time, k modular multiplication can be executed in parallel by executing the following operation.

26, 27

Here, M1 is a predetermined binary amount having a bit position 2jm, 1 at (2j + 1) m-1, and a binary value indicating an amount of 2 ^m −1 otherwise (j = when t is defined as described above). 0, 1, ..., t), GF_p_k_ADD is a typical addition algorithm for the multi-guard-bit notation described above. In this regard, the multiplication of u and v in Equation 26 may be a normal multiplication of a register, such as is conventionally performed by a known processor (eg, integer multiplication or floating-point). multiplication). Alternatively, the multiplication of u and v in Equation 26 may be performed using the table look-up described above with reference to FIG. 9. Therefore, in this notation convolution (multiplication) is not a conventional 2k multiplication and modular abbreviation operation, but can be a simple operation of 4 + 5 = 9.

A special case of scalar multiplication is doubling. Given the element α _i of GF (p ^k ), the field amount α _i + α _i (2α _i ) can be determined by executing the following operation.

28, 29

Where a is binary data representing α _i stored according to single-guard-bit notation or multi-guard-bit notation, and M1 and M2 are suitably in either single-guard-bit notation or multi-guard-bit notation. It is a predetermined binary amount (mask amount) defined as above. Thus, it can be seen that doubling can be achieved using five efficient operations.

Another feasible calculation is equality testing. For example, checking whether or not the binary data a representing the field element of GF (p ^k ) represents the zero element can be performed by checking whether a = 2a. Here the doubling is performed as just described. Since the number p is odd, the amount of 2a is never zero unless a = 0. In principle, it may be desirable to directly check whether a = 0 using single word-operation. However, since element 0 in ground field GF (p) has two notations (0 and p), it is possible for binary data a to represent 0 even if all bits of binary data are not equally zero. Thus, the doubling operation provides a convenient way to check if the amount of a is equal to zero. This method can be applied to both single-guard-bit notation or multi-guard-bit notation.

Another feasible calculation is to determine the additive inverse of the a field element of GF (p ^k ), that is, to determine "-a" where a + (-a) = 0, given a. . Given the first binary data a stored according to either single-guard-bit notation or multi-guard-bit notation for indicating the field element of GF (p ^k ), 2 binary data c can be determined. Binary data indicating the amount of (p, p, ..., p) in GF (p ^k ) is called z. That is, z contains k groups of data bits with guard bits between them at appropriate locations, where each group of data bits maintains a binary equivalent of p. At this time, c = -a is determined by executing a single word operation.

(30)

Where "-" is a regular subtraction operator on words. Thus, the general equivalence test, i.e., determining whether a = b is performed by checking whether a + (-b) = 0, i.e., using the above technique for the addition inverse first, and then if the element is zero then the method for inspection This can be done by using

Another feasible calculation is a multiplicative inverse. In the multiplicative group of size s, x ⁵ = 1 is true for all x. In other words, for any x in the field, x ^-1 = x ^s-1 . For the finite field GF (p ^k ), the multiplication group has a size s = p ^k −1. Therefore, the multiplication inverse of the field elements can be performed by a table look-up according to the following relation.

(31)

Wherein the first binary data a represents a field element of GF (p ^k ) and is stored according to single-guard-bit notation or multi-guard-bit notation. Second binary data a ^-1 indicates a multiply inverse field element. In a manner similar to that described above with respect to the discussion of GF_p_k_MUL for single-guard-bit notation, the operation in equation 35 can be performed directly using single-guard-bit notation using a table look-up. For multi-guard-bit notation, the operation in equation 35 can also be performed directly, where the DLOG look-up table consists of multiple guard bits at the memory address, and the binary data stored in the ANTILOG table represents data representing field elements. It consists of multiple guard bits located between groups of bits. Alternatively, the operation in equation 35 can be performed for multi-guard-bit notation using “compressed” DLOG and ANTILOG look-up tables combined with compression and decompression as described above. That is, the first binary data can be compressed using the above COMP function before executing the DLOG table look-up, and decompressed using the DECOMP function on the binary data result after the ANTILOG table look-up is executed. You can execute the operation.

Another computation that can be done is exponentiation. By generalizing the multiplication inverse, the table look-up can be performed according to the following relationship to calculate the power of the field element with respect to n-th power.

(32)

Where a is first binary data representing a field coefficient in accordance with either single-guard-bit notation or multiple-guard-bit notation. In the same manner as described above, equation 36 may be executed directly or alternately, followed by ANTILOG table look-up before the DLOG table look-up, and may be executed using the compression and decompression functions, respectively, as needed.

Evaluation of efficiency increase

The evaluation of efficiency gains obtained by using the method of the present invention as compared with the conventional method will be described in connection with the application of typical cryptography. In terms of cryptographic security, encryption can be implemented using an elliptic curve (see Handbook of Applied Cryptography, mentioned above) for a finite field of size 2 ^160, to make the encryption schemes sufficiently complex and fairly secure. It is currently recommended to do so. Thus, in the case of p = 3 in accordance with the present invention, it is necessary to use an extension of GF (3) of order greater than 101 (ie, 3 ¹⁰¹ ≒ 2 ¹⁶⁰ ). In the case of p = 7 according to the invention, the extension order requires at least 57. In other words, the necessary complexity may be achieved, for example, by executing the calculation in GF 3 ¹⁰² or GF 7 ⁶⁰ .

Rather than performing the calculations directly in GF 3 ¹⁰² or GF 7 ⁶⁰ , the present invention allows calculations to be performed in the appropriate extension field GF (p ^{l k} ) to achieve the necessary complexity. For example, for p = 3, the necessary complexity can be found by performing calculations in the extended field GF (p ^{l k} ), where l = 17 and k = 6 (since 102 = 6 · 17). Similarly, for p = 7, the required complexity can be found by performing calculations in the extended field GF (7 ^{l k} ), where l = 12 and k = 5 (since 60 = 5 · 12). As noted above, this calculation requires performing an arithmetic operation on the base field GF (p ^{l k} ), which in the present example can be GF (p ⁵ ) or GF (7 ⁵ ), respectively. It should also be noted that the calculation in GF (3 ⁶ ) can be performed using single-guard-bit notation in a conventional 32-bit structure. In addition, the calculation in GF 7 ⁵ can be performed using either single-guard-bit notation or multi-guard-bit notation in a 32-bit structure. As described above, the algorithms SUM (α, β) and PRODUCT (α, β) can be used to associate the calculation in the extended field GF (p ^{l k} ) with the calculation in the field GF (p ^k ). Various kinds of calculations in GF (p ^k ), including various implementations of GF_p_k_ADD and GF_p_k_MUL, have been described in detail above.

l = 17 and k = 6 is a single according to the invention as compared with the conventional method for the calculation, including the specific finite fields of GF (p ^{l k)} with l = 17 and k = 6 in GF (p ^{l k)} - A summary table of the computational efficiency for guard-bit notation and multi-guard-bit is shown. In particular, the table below shows the approximate combined size (in bytes) of the DLOG and ANTILOG look-up tables and the number of operations that need to perform addition and multiplication in each field. The number of operations required to perform multiplication using multi-guard-bit notation includes using the above compression and decompression operations.

field k l Single-guard-bit notation Multi-guard-bit notation Conventional method Table size Operation on addition Operations on multiplication Table size Operation on addition Operations on multiplication Table size Operation on addition Operations on multiplication GF (3 ^lk ) 6 17 2 ¹⁹ 85 578 2 ¹³ 85 2890 - 102 10400 GF (7 ^lk ) 5 12 2 ²¹ 60 288 2 ¹⁶ 60 1440 - 60 3600

As is clear from the above table, for the multiplication using the above-described method of the present invention, a greater gain in efficiency than the conventional method can be achieved. Regarding the number of operations indicated above for addition, the kind of operations used in single-guard-bit notation and multi-guard-bit notation according to the present invention are mainly simple bit operations of high efficiency, whereas It is worth noting that the kind of operation involved is a very slow modular add operation. Thus, it is apparent that the addition using the method of the present invention as described above can achieve a significant gain in efficiency as compared to the conventional method of performing addition in GF (p ^k ). Thus, the gains achieved using the present invention are, at first glance, even more pronounced than the above proposed table. This same investigation also applies to the multiplication of the field elements according to the invention.

A review relating to determining whether single-guard-bit notation or multi-guard-bit notation is described. If memory consumption is not a concern, single-guard-bit notation is preferred because of better computational performance. In the near future, if the addition operation is the dominant operation, a single guard-bit should be used because it can make k as large as possible. Also, DLOG and ANTILOG look-because the 2 ^k the size of the up-table, the addition in this case is used predominately than multiplication, DLOG and ANTILOG look-number to be practical simply to use the conventional method to avoid up table as a whole, which is multiplied by the field element have.

On the other hand, if multiplication is the dominant operation, multi-guard-bit notation that minimizes the size of the DLOG and ANTILOG look-up tables is more desirable. In view of the above discussion, single-guard-bit notation and multi-guard-bit notation, in some sense, the compactness of DLOG and ANTILOG look-up tables, ease of table look-up and degree of parallelism (ie, It can be seen that the opposite end of the scale is indicated, including consideration of trade-off between the number of field-element coefficients that can be represented in a single-machine register. If w is a (fixed) word of the hardware structure (ie w is a register size) and m is the number of bits in the ground field GF (p) for p = 2 ^m −1, then part of the single-guard-bit notation The attributes can be summarized as follows: Binary data representing the k = w / (m + 1) coefficients of GR (p ^k ) (the coefficients are elements of GF (p)) can fit into one word, a single hardware register. This packing of binary data is optimally suitably for satisfying k <w / m. No compression is required before the DLOG table lookup, and there is no need for decompression following the (obviously optimal) ANTILOG table lookup. The look-up table for single-guard-bit notation is about 2 ^k times larger than the look-up table for multiple guard bit notation. That is, the look-up table for single-guard-bit notation is larger than the absolute minimum size needed to store all the elements of the field.

Some attributes of the multi-guard-bit notation can be summarized as follows. Binary data representing the k = w / (2m) coefficients of GF (p ^k ), which is an element of GF (p), can fit into one word, a single hardware register. In order to save the memory space required for the DLOG and ANTILOG look-up tables, a small amount of computation can and should be dedicated to the compression and decompression operations associated with the table look-up as needed. By using compression and decompression operations, the DLOG and ANTILOG tables are necessarily optimal in size.

Expansion to p in the form p = 2 ^m +1 and p = 2 ^m ± d

In the above discussion, the calculation in finite fields of odd-numbered surface numbers has been described for p in the form p = 2 ^m −1. An extension of the above method is explained for the calculation of finite fields of odd-numbered tables. Where p is in the form p = 2 ^m +1 and p = 2 ^m ± d and d is small. In principle, any d value may be used in the case of d <2 ^m , but it will be appreciated that smaller d is preferred. In principle, as described below, p = 2 ^m −1 with d ≦ (2 ^m + 1) / 3 and p = 2 ^m ± with d ≦ p / 6, which proved to be as efficient as for d = 1. When d, special optimizations are available. Compared to the case of p = 2 ^m −1, this extension requires only a small increase in the required memory and computational overhead. The above treatment for p = 2m-1 allows p = 3, 7, 31, etc., while the expansion to p = 2 ^m +1 and p = 2 ^m ± d is a prime p = 5, 11, 13, 17 Use the back. Although it is mentioned that the present invention is most advantageous when d is smaller than the above, in principle all prime numbers are accepted. In addition, the word size and hardware memory place some practical limitations on how large a value of p can be used. As described above, when odd odd prime numbers p can be written in terms of more than one function form, it is generally preferable to use the method for p = 2 ^m −1 rather than the method for the other two function forms. In addition, when d> 1, it is preferable to use the method for p = 2m + 1 rather than the method for p = 2 ^m ± d.

The following investigation involves understanding the expansion of p = 2 ^m + 1 to p as well as p = 2 ^m ± d. Using a slightly different notation, as suggested above (see Eq. 15), when p = 2 ^m −1, the fraction e modulo p of a value can be executed according to the following equation.

(33)

As mentioned above, this is subtracting the integral multiple of p from e. Thus the result is mathematically correct and the only problem is that it is "practical", ie the result does not always belong to the set 0,1, ..., p-1, the conventional notation of integer modulo p. . This was solved by the following investigation. The notation of the integer modulo p can be extended to a larger set Sp = 0, 1, ..., p with two notations of zero, 0 and p. At this time, if f and g are elements of Sp, Equation 3 is correctly calculated as (f + g) mod (p) in double notation. Where e is the sum of f and g. This investigation will now be generalized. Let p = 2 ^m +1 (where d is negative but | d | <2). At this time, for some constant e, the following relation applies to the constant r.

(34), (35)

In other words, the result is equal to e mod (p), up to an integer multiple of p. So what is done in equations 34 and 35 is the subtraction by a multiple of p. In order to get the complete approximate mod p so that the amount of c-pk is actually in the set 0, 1, ..., p-1, the relation in equations 34 and 35 is k = e div p = e div (2 ^m + d ) Should be used. However, the present invention uses an approximation at k = e div 2 ^m so that e-pk is not guaranteed to be in set 0, 1, ..., p-1. For the case of d = -1 (corresponding to p = 2 ^m −1), for example, using the slightly larger set Sp would be closed for the set Sp in the determination of e = f + g. Combined with addition, it allows for modular abbreviations.

For p = 2 ^m +1 and p = 2 ^m ± d for odd | d |> 1, the algorithms GF_p_k_ADD and FG_p_k_MUL for the generation are appropriate sets of notations corresponding to the coefficient values of the allowed GF (p ^k ) field elements It is described below in connection with determining Sp. It can be seen that the Sp set depends on the functional form of p and m and d. Where p = 2 ^m ± d. Similar to the above, these sets will be displayed in the case of p = 2 for ^m +1 ⁺ Sp, Sp for ^{p = 2 m + d + d} , p = 2 m -d Sp -d. As described above, the coefficient itself of the field element of GF (p ^k ) is an element of GF (p). It should be noted that there is no mathematical problem to allow a more general set Sp if the c amount of modular abbreviation is closed under addition according to the modular abbreviation, so long as c minus a multiple of p.

Addition and multiplication in GF (p ^k ) at p = 2 ^m + d

In the following description of GF_p_k_ADD and GF_p_k_MUL for the case of p = 2 ^m + 1, it is assumed that ^m ≧ 2 such that p ≧ 5. This is because it is preferable to address the case of p = 3 using the method described above for addition and multiplication in the case of p = 2 ^m −1 (that is, p = 2 ² −1). Sp ⁺ is given by Sp ⁺ = 0, 1, ..., 2p-2. (So, for p = 2 ^m +1, the present invention results in 0, 1, ..., p-2 values having two notations, whereas for p = 2 ^m -1, only zero values have more than one notation. In this case, each coefficient of the field element of GF (p ^k ) is an element of Sp ⁺ . Since 2p-2 = 2 ^{m + 1} , m + 3 bits (not including guard bits) are used to represent the coefficients of the field elements of GF (p ^k ), which is the method for p = 2 ^m −1. At set Sp = 0, 1, ..., p is one or more bits than necessary to represent the coefficients.

For p = 2 ^m +1, the binary data representing the field element of GF (p ^k ) is that for p = 2 ^m +1, m + 2 bits (not including guard bits) are field elements. As described above, it may be stored in a hardware register in accordance with either a single-guard-bit notation or a multi-guard-bit notation, except that it is allocated for each group of data bits representing the coefficient of. For example, in single-guard-bit notation, the first binary data representing the first field element α _i of GF (p ^k ) may be stored as follows. Here, the first binary data includes k groups of first data bits. Assume (m + 3) k as the maximum hardware word size (register size). Let α _{i be} the first field element of GF (p ^k ), where α _i = (α _{k-1, i} ,..., α _{0, i} ) and each α _{j, i} belongs to Sp ⁺ . The group of first data bits representing a _{0, i} is stored in the first register at bit positions 0, 1, ... m + 1. The first guard bit with a zero value is stored in the first register at bit position m + 2 (guard-bit position). Another group of first data bits representing α _{1, i} is stored in the first register at bit positions m + 3, ... 2m + 4, and so forth. Thus, at v = 1, 2, ... there is one first guard bit at every bit position v (m + 3) -1, ie at every successive (m + 3) th bit position. In other words, there is one first guard bit at a position adjacent to the most significant bit of each group of first data bits. The second binary data comprising a k group of second data bits representing a second field element of GF (p ^k ) is generated with one second guard bit adjacent to the most significant bit of each group of second data bits. It can be stored in two registers as well. (Here, “first” and “second” are simply used to distinguish between attributes corresponding to the first field element and the second field element, respectively.) In this way, the first and second of GF (p ^k ) By storing binary data indicative of field elements in the first and second hardware registers, carry will not be transferred from one group of data bits indicative of field coefficients to an adjacent group of data bits indicative of other field coefficients. The method of storing binary data representing field elements in accordance with multi-guard-bit notation is entirely similar except that one or more guard-bit positions are provided between adjacent groups of data bits representing field coefficients. .

A typical form of GF_p_k_ADD at p = 2 ^m + 1 will be described with reference to the flowchart of FIG. The operation shown in FIG. 14 can be executed by a system such as the system 100 shown in FIG. Further, in the manner as described before, first binary data representing the first field element of GF (p ^k ) is stored in a first register (eg, register 107 of FIG. 1), and the second field element Assume that the steps 301 and 303 shown in FIG. 3 have been executed in advance by the processor 105 so that the second binary data indicating is stored in a second register (e.g., register 109). The first and second binary data may be stored according to either single-guard-bit notation or multi-guard-bit notation. The method is the same in both cases. At this point, the steps shown in FIG. 14 indicate a typical implementation of step 305 shown in FIG.

As in step 1401, the processing unit 105 uses addition (i.e., add carry with the next most significant bit if necessary) to remove the content a of the first register 107 and the content b of the second register 109. Add. The result of the addition may be stored in another register 111 as shown in FIG. As in step 1403, the processing unit 105 performs a logical AND operation between the amount of (a + b) stored in the register 111 and the first predetermined binary amount M1 stored in one of the registers (e.g., register 113). Run The M1 quantity has a zero value at a bit position corresponding to the bit position of the first guard bit stored in the first register 107 and at a bit position corresponding to the bit position of each group of first data bits stored in the first register. It has a binary value representing the amount of 2 ^m -1. For example, when p = 5 (ie, p = 2 ^m + 1 to m = 2), the first predetermined binary amount M1 is a continuous binary string (0, 0, 1, 1) separated by zero bit values. 1), since 2 ^m -1 = 3, given as binary values (0, 0, 1, 1). The above definition of the amount of M1 is applicable to multi-guard-bit notation as well as single-guard-bit notation for the case where p = 2 ^m +1. The result of the operation shown in step 1403 may be referred to as first intermediate data c1 and is stored in one of the registers (eg, register 115).

As in step 1405, the processing unit 105 performs a logical AND operation between the amount of (a + b) stored in the register 111 and the second predetermined binary amount M2 (where M2 is given as M2 = NOT (M1)). Run The NOT operation is bitwise logical negation. The result of this operation is stored in one of the registers (eg, register 117). In addition, as in step 1405, the processing unit 105 performs a right shift by m bits for the amount of ((a + b) & M2). The result of such an operation may be stored in the same register 117 or another register. In step 1407, the processing unit 105 subtracts ((a + b) & M2) >> m from the third predetermined binary amount P1. The amount of P1 has a zero value at the bit position corresponding to the bit position of the first guard bit stored in the first register, and 2 ^m +1 at the bit position corresponding to the bit position of each group of first data bits in the first register. It has a binary value indicating the amount of (= p). For example, at p = 5 (i.e. m = 2), the third predetermined binary amount P1 is a continuous binary string (0, 1, 0, divided into zero bit values (corresponding to the guard-bit position). 1), since 2 ^m + 1 = 5 given as (0, 1, 0, 1) as a binary value. The result of the operation shown in step 1409 may be referred to as second intermediate binary data c2 and is stored in one of the registers (eg, register 119). In step 1409 the processor performs an addition between the first intermediate binary data c1 and the second intermediate binary data c2, which may be marked c and stored in one of the registers (eg, register 121). Generate the third binary data. According to this method, the third binary data c represents the sum of the first field element and the second field element.

The algorithm according to FIGS. 3 and 14 has been described in terms of specific sequences of steps to facilitate explanation. However, it is not necessary to carry out the steps shown in Figs. Those skilled in the art will appreciate that the order of the steps can be changed and some of the steps can be executed simultaneously. For example, steps 301 and 303 shown in FIG. 3 may be executed simultaneously, and steps 1403 and 1405 shown in FIG. 4 may be executed simultaneously.

Regardless of the procedure in which the various operations are performed, it is only necessary to determine the amount of c (third binary data) according to the following relationship.

(36)

Where a is first binary data representing a first field element, b is second binary data representing a second field element, + represents addition, and M1, M2 and P1 are defined as described above. do. In this respect, each group of data bits c _j of the resultant amount c represents a value that is an element of Sp ⁺ , and each such c _j is c _j = (a _j + b _j ) mod (p) ( will be appreciated by those skilled in the art. Where the subscript j for the amounts of a and b indicates the corresponding group of data bits representing the relevant coefficients of each field element.

Thus, for p = 2 ^m +1 the addition of field elements in GF (p ^k ) can be performed using six simple instructions (compare with five simple instructions for p = 2 ^m −1). Using the second term (P1- (c '& M2) >> m)) as the addition in Eq 36 is, in principle, equivalent to subtracting the amount of ((a + b) div 2 ^m ) modulo p, Make 36 match Eq 33 However, it is advantageous to perform q subtraction as positive qq addition. In particular, if subtraction is performed in a conventional manner, i.e. by subtracting ((a + b) div 2 ^m ) rather than adding (P1-((a + b) & M2) >> m)), it faces the addition carry. It is possible to encounter negative “borrows” even if you do not. On the contrary, by using the addition amount (P1-((a + b) & M2) >> m)), such negative borrowing can be avoided. have.

To prove that the method given in Eq 36 produces the correct addition result, if a _j and b _j ∈ Sp ^+, then any c _j of c quantity in Eq 36 is 0≤c _j ≤2 ^m -1 + p = 2p We know that -2 is satisfied (because 0≤ (a _j + b _j ) div 2 ^m ≤4 <p). Thus, each c _j of both c in equation 36 is an element of Sp as required. As mentioned above, the drug in Eq 36 subtracts ((c _j div 2 ^m ) -1) p from c _j , which is a multiple of p. Thus each c _j is actually in the set Sp ⁺ and thus is equal to the remainder of (a _j + b _j ) mod p, up to the (single) multiple of p.

As noted above, the addition (GF_p_k_ADD) of two field elements of GF (p ^k ) to p = 2 ^m +1 in the multi-guard-bit notation according to the present invention is substantially equivalent to the single-guard-bit notation. same. It should be noted only that the first and second binary data representing the first and second field elements, respectively, are stored with multiple guard bits located between adjacent groups of data bits representing the coefficients of each field element. Also, the above given prescriptions for determining amounts of M1, M2 and P1 need not be modified for multi-guard-bit notation. Of course, applying such a definition to multi-guard-bit notation will produce amounts of M1, M2 and P1 of different values than those generated for single-guard-bit notation.

(Example 2)

A numerical example illustrating the method shown in FIG. 14 for p = 2 ^m + 1 will be described with reference to FIG. 15. 15 schematically illustrates a set of registers 1501-1521 in which typical register contents are stored, in accordance with single-guard-bit notation. Each register 1501-1521 contains 32 bit positions in this embodiment according to a 32-bit structure. In this particular example, the calculation is performed using binary data representing the field elements of GF (5 ⁶ ), where p = 2 ^m + 1 = 5 and m = 2. Thus m + 2 = 4 bits are allocated for each coefficient of field element (not including guard bits), and adjacent 4-bit groups are separated by a single guard-bit position (light shaded area). In this example, there are also two unused bit positions (dark shaded areas) in the most significant bit of each register. For example, using a processing system such as the processing system 100 shown in FIG. 1, the calculation described below is performed.

In this example, each coefficient of a given field element is the element of field GF (5) itself. The coefficient value in GF (5) corresponds to binary data according to the next combination. That is, 0 to (0, 0, 0, 0); 1 to (0,0,0,1); 2 ~ (0,0,1,0); 3 to (0,0,1,1); 4 to (0,1,0,0). There is also a dual notation with the following addition combination, where two different numbers in GF (p) are represented by the same value. That is, 5 to (0, 1, 0, 1) corresponding to 0; 6 to (0, 1, 1, 0) corresponding to 1; 7 to (0, 1, 1, 1) corresponding to 2; 8 corresponding to three (1,0,0,0).

As a start, first binary data representing a first field element given by a vector representation such as (0,3,1,6,3,0) is stored in the first register 1501. In addition, second binary data representing the second field element given by the vector representation such as (0,7,1,4,4,0) is stored in the second register 1503. Each guard-bit position in registers 1501 and 1503 is initially assigned a zero value. The contents of registers 1501 and 1503 are added by addition and the result (a + b) is stored in register 1505 (corresponding to step 1401 of FIG. 14). The content (a + b) of the register 1505 is combined with the first binary amount M1 stored in the register 1507 through a logical AND operation, so that ((a + b) & M1) is stored in the register 1509. Stored (corresponding to step 1403 of FIG. 14). In this example, since 2 ^m −1 = 3, which is given as a binary value as (0,0,1,1), the first predetermined binary amount M1 is represented by a zero bit value (corresponding to the guard-bit position). Contiguous binary strings (0,0,1,1) are included.

At this time, a second predetermined binary amount M2 = NOT (M1) is formed and stored in the register 1511, and the content M2 of the register 1511 is the content (a + b) of the register 1505 through a logical AND operation. ), And the resultant (c1 = ((a + b) & M2)) is stored in the register 1513 (corresponding to step 1405 in FIG. 14). The second predetermined binary amount P1 is stored in register 1515, where P1 is 2 ^m +1 located in adjacent 4-bit groups, each separated by a zero bit value (corresponding to the guard-bit position). Represents a positive repeated binary equivalent. In this example, since 2 ^m + 1 = 5, which is given as a binary value as (0,1,0,1), the third predetermined binary amount P1 is represented by a zero bit value (corresponding to the guard-bit position). It contains separate consecutive binary strings (0,1,0,1). The contents ((a + b) & M2) of the register 1513 are shifted right by m bits (i.e., 2 bits), and the resulting (((a + b) & M2) >> 2 is stored in the register 1517. (Corresponding to step 1405 in FIG. 14). The content (((a + b) & M2) >> 2) of the register 1517 is subtracted from the content P1 of the register 1515, resulting in (c2 = P1-(((a + b) &M2)> 2)) is stored in register 1519 (corresponding to step 1407 in FIG. 14). Finally, the content c of the register 1509 is added to the content c2 of the register 1519 using addition, and the resulting third binary data c = c1 + c2 is added to the register 1521. Stored. The resulting third binary data stored in register 1521 corresponds to the field element given by the vector representation, such as (5,5,7,5,7,5), which is the expected result. If desired, this result can be reduced to modulo 5 (which is mod (p) in this example) prior to the output operation, for example giving the result (0,0,2,0,2,0). . This completes the discussion of Example 2.

In another aspect of the invention relating to calculations involving field elements of odd-numbered finite fields in the case of p = 2 ^m + 1, a hardware device may be provided that performs operations on the typical form of GF_p_k_ADD shown in FIG. 16 is a functional block diagram of such a typical hardware device. In particular, the device 1600 shown in FIG. 16 generates third binary data, denoted by c in FIGS. 14 and 16 and capable of displaying the sum of the first field element and the second field element of GF (p ^k ). Provide another way.

The device 1600 can apply to both single-guard-bit notation and multi-guard-bit notation.

The hardware device 1600 shown in the functional block diagram of FIG. 16 shares various common features and operational forms with the device 600 shown in FIG. 6, wherein the same features in FIGS. 6 and 16 refer to the same reference numerals. Grant. The discussion of aspects of the device 1600 that are common to the device 600 will not overlap here. Aspects of the device 1600 that differ from the device 600 will be discussed.

The device 1600 has several features not found in the device 600. In particular, the device 1600 further subtracts an output from the right-shift register 1619 from the additional register 1625 holding a third predetermined binary amount P1 and the content P1 of the register 1625. It has a subtraction gate 1627.

The output from the subtraction gate 1627 is fed back to the register 1603 as indicated. In contrast, as shown in FIG. 6, the device 600 does not have a register similar to register 1625 and does not have a subtract gate similar to subtract gate 1627. Rather, for the device 600 shown in FIG. 6, the output from the right-shift gate 619 goes directly into the register 603 shown. By providing a register 1625 and a subtracting gate 1627 in the manner shown in FIG. 16B, the apparatus 1600 enables processing of data in a manner corresponding to step 1407 shown in FIG. In other respects, the device 1600 operates like the device 600 shown in FIG. 6, and no further discussion such as the aspect in FIG. 1600 is necessary.

As described above, in the apparatus 1600, the first register 1601 and a processor (not shown) may be regarded as a means for storing the first binary data as described with reference to FIG. The second register 1603 and a processor (not shown) can be viewed as a means for storing second binary data. In addition, register 1621 and / or register 1609 may be viewed as a means for storing third binary data. In addition, the clock / logical element 1605 and any or all of the remaining elements shown in FIG. 16 may be viewed as means for performing at least one operation on the first binary data and the second binary data.

In another exemplary embodiment of the present invention, the addition apparatus 1600 used for p = 2 ^m + 1 is selected from the block of FIG. 17 for a state dedicated to the finite field GF (p ^k ) and kept unchanged. It may be modified as shown for the hardware device 1700 shown in FIG. That is, the amount of m, p, and k is fixed as well as the choice of single-guard-bit notation or multi-guard-bit notation, and the hardware device 1700 is dedicated to this choice. In this state, the hardware device 1700 may receive initial binary data indicative of field elements, where the initial binary data is not configured to have zero at the guard-bit position. Rather, the hardware device 1700 itself configures the initial binary data with zeros at the appropriate guard-bit position without the processor to construct the first and second binary data with zeros at the guard-bit position. Generate first and second binary data. The hardware device 1700 shown in FIG. 17 will be described.

The hardware device 1700 shown in the functional block diagram of FIG. 17 shares many common features and operational forms with the device 600 shown in FIG. 16, the same features being referred to in FIGS. 16 and 17 by the same reference. Give a number. The discussion of aspects of the device 1700 that are common to the device 1600 will not overlap here. Rather, we will discuss aspects of the device 1700 that are different from the device 1600.

The device 1700 has several features not found in the device 1600. In particular, the device 1700 has guard-bit-insertion circuits 1701 'and 1703 (GB insertion) and guard-bit-removal circuit 1709' (GB removal). The guard-bit-insertion and guard-bit-removal circuits 1701 ′, 1703 ′, and 1709 ′ may be implemented using circuits similar to those shown, for example, in the examples of FIGS. 8A and 8B already described. As shown in FIG. 17, the guard-bit-insertion circuits 1701 ′ and 1703 ′ are functionally installed at the input to the hardware device 1700, and the guard-bit-rejection circuit 1709 ′ is provided with a register 1709. And between the output register 1721. Guard-bit-insertion circuits 1701 'and 1703' receive initial binary data a 'and b' (not including guard bits) corresponding to the first and second field elements of GF (p ^k ), and Operate to insert guard bits into that data. In other words, the guard-bit-insertion circuits 1701 ′ and 1703 ′ have initial binary data a ′ and b ′ for the first binary data and the second binary with guard bits, in particular with zero at the guard-bit position. Convert to data. The guard-bit-rejection circuit 1709 'has the opposite function, i.e., the function of receiving the third binary data c indicating the calculation result and having the guard bit, and removing this guard bit, and thus without the guard bit, the calculation result. To form the final binary data c ′.

Certain features in device 1600 that are not needed in device 1700 are missing in device 1700. In particular, the device 1700 is missing the input line to the right-shift gate 1719 and mask register 1713 for the amount of m. This input line is not necessary if m is fixed. Rather, right-shift gate 1719 is initialized to the m value at one time to perform the appropriate right shift. Similarly, mask registers 1713 and registers 1725 are initialized at one time in the appropriate form of M1 and P1 depending on whether single-guard-bit notation or multi-guard-bit notation is used. Conventional electrical connections can be used to perform this initialization and are not shown in FIG. In terms of the differentiation from the above operational distinction, the operation of the device 1700 shown in FIG. 17 is almost similar to the description of the device 1600 shown in FIG. 16, so no further discussion is required.

In the device 1700 described above, the first register 1701 and the guard-bit insertion circuit 1701 ′ can be viewed as a means for storing first binary data. The second binary register 1703 and the guard bit insertion circuit 1703 'can be viewed as a means for storing the second binary data. In addition, the register 1709 can be viewed as a means for storing third binary data. In addition, the clock / logical element 1705 and any or all of the remaining elements shown in FIG. 7 may be viewed as means for performing at least one operation on the first binary data and the second binary data.

In the case of p = 2 ^m +1 multiplication of field elements in GF (p ^k) are one-to Figure 9-12 on for both bit notation p = 2 ^m -1 - guard-bit notation and multiple-guard This can be done using the typical form of GF_p_k_MUL described above with reference. In contrast to the m bits for the case of p = 2 ^m −1, m + 2 bits (guard) to store each group of data bits representing the coefficients of the field elements of GF (p ^k ) for p = 2 ^m +1. It is only necessary to know that no bits are allocated). Of course, this difference should be applicable to the form of DLOG and ANTILOG tables. If the compression function (COMP) and the decompression function (DECOMP) use multi-guard-bit notation, these functions are allocated to store m + 2 bits rather than m bits in each group of data bits representing field elements. Consideration should also be given.

Addition and multiplication in GF (p ^k ) for p = 2 ^m ± d

In another aspect of the invention, the above-described treatment of performing calculations in GF (p ^k ) for p = 2 ^m −1 and p = 2 ^m +1 may be extended to p in the form p = 2 ^m ± d have. Here, suppose d> 1 and d is odd. M and d are chosen so that the resulting p is odd. If a given prime can be written as both p = 2 ^m −1 and p = 2 ^m +1 for different choices of m and d, it is preferable to use a form that allows a minimum value of d. For example, ^{p = 11 p = 2 3 +3} (m = 3, d = 3) and ^{p = 2 4 -5 (m =} 4, d = 5) can be written as both. It is preferable to select and use p = 2 ³ + 3 at m = 3 and d = 3. How to perform addition and multiplication in GF (p ^k ), that is, how to execute GF_p_k_ADD and GF_p_k_MUL for p = 2 ^m ± d.

For p = 2 ^m ± d, binary data representing the field element of GF (p ^k ) is given by m + for each group of data bits representing the coefficient of the field element for p = 2 ^m −d. Allocating 1 bit (not including guard bits), and for p = 2 ^m + d, m + 2 bits (without guard bits) for each group of data bits representing the coefficient of the field element Except for allocating a, as described above, it may be stored in a hardware register according to one of single-guard-bit notation or multiple-guard-bit notation. For example, in the single-guard-bit notation for p = 2 ^m −1, the first binary data representing the first field element α _i of GF (p ^k ) may be stored as follows. Here, the first binary data includes k groups of first data bits. Assume (m + 2) k as the maximum hardware word size (register size). Let α _{i be} the first field element of GF (p ^k ), where α _i = (α _{k-1, i} , ..., α _{0, i} ) and each α _{j, i} is Sp (described below) As such, depending on the form of p, the specific Sp ^-d or Sp ^{+ d} ). The group of first data bits representing a _{0, i} is stored in the first register at bit positions 0, 1, ... m. The first guard bit with a zero value is stored in the first register at bit position m + 1 (guard-bit position). Another group of first data bits representing α _{1, i} is stored in the first register at bit positions m + 2, ... 2m + 2, and the like. Thus at v = 1, 2, ... there is one first guard bit at every bit position v (m + 2) -1, ie at every successive (m + 1) th bit position. In other words, there is one first guard bit at a position adjacent to the most significant bit of each group of first data bits. The second binary data comprising a k group of second data bits representing a second field element of GF (p ^k ) is generated with one second guard bit adjacent to the most significant bit of each group of second data bits. It can be stored in two registers as well. (Here, “first” and “second” are simply used to distinguish between attributes corresponding to the first field element and the second field element, respectively.) In this way, the first and second of GF (p ^k ) By storing binary data indicative of field elements in the first and second hardware registers, carry will not be transferred from one group of data bits indicative of field coefficients to an adjacent group of data bits indicative of other field coefficients. The method of storing binary data representing field elements in accordance with multi-guard-bit notation is entirely similar except that one or more guard-bit positions are provided between adjacent groups of data bits representing field coefficients. .

When p = 2 ^m −1, addition (ie, execution of GF_p_k_ADD) in GF (p ^k ) will be described with reference to FIGS. 18 and 19. In the case of p = 2 ^m −d, the method for p = 2 ^m −1 may be extended. Assume d> 1 and d are odd. Obviously 1 <d <2 ^m -1 can be assumed, because other p is exactly smaller than 5. Two typical ways of performing addition (two typical forms of executing GF_p_k_ADD) are two regimes of d values, namely 1) d≤ (2 ^m +1) / 3, and 2) (2 ^m +1 ) / 3 <d <2 ^m −1.

First, an exemplary method 1800 of executing GF_p_k_ADD at d ≦ (2 ^m +1) / 3 for the case of p = 2 ^m −d will be described with reference to FIG. 18. This description is applicable to both single-guard-bit notation and multi-guard-bit notation. Set Sp ^-d to 0, 1, ..., 2 ^m + d-1, and place each field coefficient of GF (p ^k ) as an element of set Sp ^-d . Of course, each integer mentioned in Sp- ^d has an equivalent binary string that is used to store the corresponding coefficient of the field element, as described above. The operation shown in FIG. 18 can be executed by a system such as the system 100 shown in FIG. In addition, in steps 301 and 303 illustrated in FIG. 3, in the same manner as described above, the first binary data representing the first field element of the GF (p ^k ) is stored in the first register (for example, the register 107 of FIG. 1). Assume that the second binary data stored at and representing the second field element has already been executed by the processor 105 such that the second binary data is stored in the second register (eg, register 109). The first and second binary data may be stored according to either single-guard-bit notation or multi-guard-bit notation. In other words, the method is the same in either case. The steps shown in FIG. 18 indicate a typical implementation of step 305 shown in FIG.

Steps 1801, 1803 and 1807 are the same as steps 401, 403 and 407 shown in FIG. 4 for p = 2 ^m −1. The processing for determining the predetermined binary amounts M1 and M2 for the method shown in FIG. 18 is also the same as that for FIG. Of course, the exact form of M1 and M2 depends on whether single-guard-bit notation or multi-guard-bit notation has been used, as described above. Also, unlike the case of p = 2 ^m −1, where m bits are used to represent each coefficient, the m + 1 bits are used to represent each coefficient for p = 2 ^m −1. The masks M1 and M2 are thus modified in view of this consideration compared to the case of p = 2 ^m −1. However, the definition (prescription) of this quantity is the same for each function form of p in terms of where the zero / non-zero bits are located relative to the guard / non-guard bit position. Since this difference has been described, no further explanation is needed at steps 1801, 1803, and 1807.

In step 1805, step 1805 is similar to step 405 shown in FIG. 4, except that c2 amount is given by c2 = d * ((a + b) & M2) >> m instead of ((a + b) & M2) >> m. Do. That is, the amount c2 in step 1805 is a multiplication factor of "d" which does not exist in step 405 shown in FIG. Multiplication * by d is a multiplication normally performed with known processors (for example, normal integer multiplication or floating-point multiplication). Binary data representing the amount of d is stored in the rightmost bit position of a register with a zero elsewhere. In other words, if d is regarded as a vector quantity having a coefficient corresponding to a group of data bits associated with a field element, the vector quantity will be (0,0,0, ..., d). Thus, implementing the method 1800 shown in FIG. 18 provides third binary data c representing the sum of the first and second field elements of GF (p ^k ).

Of course, the order of performing the calculation shown in FIG. 18 can be changed from the order shown in FIG. 18 as described above. Other orders may be used as long as c is determined by the following relationship.

(37)

Here, a, b, c, M1 and M2 are as described above. Equation 37 is reduced to equation 13 for the case of d = 1.

It can be seen that the set Sp ^-d is closed under the operation shown in (37). Wherein a and b each include k groups of data bits a _j and b _j , respectively, j = 0, ..., k-1, and each a _j and b _j are Sp ^-d = 0, 1 described above. Display the group of data bits corresponding to the elements of ..., ..., 2m + d-1. In this case, with respect to each of the individual coefficients of the first and second field elements of GF (p ^k ), it can be seen that a _j + b _j ≤2 ^{m + 1} + 2d-2 (this equation is a _j + b _j To reflect a comparison of integer values represented by. h (x) = (x mod 2 ^m ) + d (x div 2 ^m ) (corresponding to Equation 43 above) The function defined by d is localized at each interval of the form t2 ^m , (t + 1) 2 ^m -1. Monotonically increasing "sawtooth" function. Further, for y <2 ^m and z <z ', where z and z' are positive integers, h (z2 ^m + y) <h (z'2 ^m + y). For 0≤ (a _j + b _j ) ≤2 ^{m + 1} + 2d-2, (a _j + b _j ) div 2 ^m ) ≤2 (This expression is equivalent to the integer value represented by a _j + b _j To reflect the comparison). Thus, finding h (a _j + b _j ) ≤ 2 ^m + d-1, for all a _j + b _j in the above intervals, h (2 ^{m + 1} -1) (the highest of any "saw tooth" It is sufficient to find that both "peak") and h (2 ^{m + 1} + 2d-2) (for the maximum possible input to h) are both limited above by 2 ^m + d-1. Evaluating h at these two points, the above limitation d≤2 ^m by ^{+1/3 h (2 m + 1 -1} ) = 2 m + d-1 and ^{h (2 m + 1 + 2d} -2) = 4d-2≤2 ^m + d-1. Thus, Sp ^-4 is closed for Eq 36. For a discussion of the d≤2 ^m +1/3 and p = 2 ^m -d above with reference to FIG. 18 is completed.

An exemplary apparatus 1900 for executing GF_p_k_ADD at (2 ^m +1) / 3 <d ≦ 2 ^m −1 in the case of p = 2 ^m −d will be described with reference to FIG. 19. This description is applicable to both single-guard-bit notation and multi-guard-bit notation. When d is in the range given by (2 ^m + 1) / 3 <d ≦ 2 ^m −1, it may be difficult to find a set Sp of reasonable size that is closed under the above arithmetic operation. In this regard, a reasonable size means that at least two fields of field elements of GF (p ^k ) can be achieved using the method described in FIG. 18 to achieve the desired degree of parallelization and computational efficiency. This means that the set Sp is small enough that the coefficient can be represented in a single hardware register or that a sufficient number of coefficients of the field elements of GF (p ^k ) can be represented in a single hardware register. If such a set Sp of reasonable size can be found, the method shown in Fig. 18 may also be used when d is given by (2 ^m +1) / 3 <d ≦ 2 ^m −1.

If a reasonable size set Sp is not available for d given as (2 ^m +1) / 3 <d ≦ 2 ^m −1, the typical method for GF_p_k_ADD shown in FIG. 19 is added in GF (p ^k ). Can be used to run In this situation, the set Sp is simply set to the set given by Sp = 0, 1, ..., 2 ^m −1 (ie independent d). Addition in GF (p ^k ) is performed according to a slightly modified modular abbreviation algorithm as reflected in FIG. 19. In particular, for convenience, write step 1901 as c = a + b, and the notation “c” is used in steps 1903 and 1905, and step 1901 shown in FIG. 19, except that reassignment of the amount of c occurs in step 1907. , 1903, 1905, and 1907 are the same as steps 1801, 1803, 1805, and 1807, respectively, shown in FIG. Further, the processing for determining M1 and M2 shown in FIG. 19 is the same as that shown in FIG. 18 (of course, the form of M1 and M2 depends on whether single-guard-bit notation or multi-guard-bit notation is used. ). Thus, no further discussion of steps 1901, 1903, 1905, and 1907 is necessary.

The method 1900 shown in FIG. 19 is modified relative to the method 1800 shown in FIG. 18 with respect to step 1909. Step 1909 is a decision step of determining which c _j (of result c), which represents an integer value, is greater than or equal to 2 ^m . If the answer is yes, repeat steps 1903, 1905, and 1907 using the current c. In other words, the method 1900 shown in FIG. 19 performs the operation given by equations 38 and 39.

38, 39

It can be seen that c _j ≥ 2 ^m is an abbreviation for determining whether the group c _j of the data bits representing the integer value is larger than 2 ^m . Thus, as reflected in equations 38 and 39 above, the modular abbreviation is executed until each c _j <2 ^m , which ensures that each c _j of the result c is in the set Sp. Thus, the method involves subtracting multiples of p from each coefficient of the field elements of GF (p ^k ) in effect. Where each coefficient is an element of the set Sp. Since p <2 ^m and c> 0, each c _j of the result c is (a _j + b _j ) mod p's actual notation, up to a multiple of p. Of course, modular medicine can take more time, and there is one problem: how much of the medicine represented by equation 39 is executed. Under the above method, it can be seen that the medicine is executed up to two times. In particular, it is assumed in equation 38 that c _j is at least c _j ≧ 2 ^m (otherwise nothing to see). Since a _j and b _j represent coefficients that are elements of Sp, c _j ≥ 2 ^{m + 1} -2 is true. In Eq 39, each run on the drug is a multiple of p, i.e., tp. Where t≥1. At this time, since c _j −2p ≦ 2 ^{m +} 1-2- (2 ^m −d) = 2d-2 <2 ^m , it can be seen that up to two modular drugs are required.

It remains to show how to determine if c _j ≧ 2 ^m in equation 39. These checks can be run for all c _j in parallel as follows: Suppose c = (c _k-1 , ..., c ₀ ) maintains the binary result according to the fraction in equation 39. The above formula in Equation 39 needs to be executed again if j having 0 ≦ j ≦ k−1 such that c _j ≧ 2 ^m . As M2 as defined above predetermined binary quantity (mask quantity), test (c & M2 _j) Running ≠ 0 is true only if at least one of c _j satisfy c _j ≥2 ^m. Even if there are some other c _j <2 ^m , the drug does not have any effect on that component (because c _j div 2 ^m = 0 and there is no multiple of p subtracted there), so the medicine for that component is executed. There is nothing to do. This as referred to Fig. ^{19 (2 m +1) / 3} <d≤2 m -1 and p = 2 ^m -d completes the discussion of the case.

Addition in GF (p ^k ) (that is, execution of GF_p_k_ADD) for the case where p = 2 ^m + d will be described with reference to FIGS. 20 and 21. In the case of p = 2 ^m + d, the method for p = 2 ^m +1 can be extended. Assume d> 1 and d is odd. Two typical ways of performing addition (two typical forms of executing GF_p_k_ADD) are in two situations for the following d values: 1) d≤p / 6 and 2) p / 6 <d <2 ^m -1 may be used in accordance with (in the case of d≥p = 2 ^m -1 it is p = 2 ^m ± d 'simply by filling the material into p, can be treated by the method described above, where m' and d 'are appropriately selected do.)

First, a typical method 200 for executing GF_p_k_ADD at d ≦ p / 6 for p = 2 ^m + d will be described with reference to FIG. 20. This description is applicable to both single-guard-bit notation and multi-guard-bit notation. Here, the set Sp ^{+ d} is given by 0, 1, ..., 2p- (d + 1), and each coefficient of the field element of GF (p ^k ) is for each coefficient not including the guard bit. The required storage bit is an element of the set Sp ^{+ d} , where m + 2. The operation shown in FIG. 18 may be executed by a system such as system 100 shown in FIG. In addition, in steps 301 and 303 illustrated in FIG. 3, in the same manner as described above, the first binary data representing the first field element of the GF (p ^k ) is stored in the first register (for example, the register 107 of FIG. 1). Assume that the second binary data stored at and representing the second field element has already been executed by the processor 105 such that the second binary data is stored in the second register (eg, register 109). The first and second binary data may be stored according to either single-guard-bit notation or multi-guard-bit notation. In other words, the method is the same in either case. The steps shown in FIG. 20 indicate a typical implementation of step 305 shown in FIG.

Steps 2001, 2003, 2005 and 2009 are the same as steps 1401, 1403, 1405 and 1409 shown in FIG. 14 for p = 2 ^m + 1. Further, the processing for determining the predetermined binary amounts M1 and M2 is also the same as that for FIG. 20 and for FIG. 4 (of course, the exact form of M1 and M2 is, as described above, single-guard-bit notation or It depends on which of the multi-guard-bit notations was used.) As described above, m + 2 bits are allocated to store each coefficient of the field element, which does not include guard bits. Thus, no further discussion of this step is necessary. In step 2007, except that c2 amount is given by c2 = P1-d * ((a + b) & M2) >> m instead of P1-((a + b) & M2) >> m, step 2007 is shown in FIG. Similar to step 1407. Where * is the above multiplication (e.g., normal integer multiplication or floating-point multiplication). That is, the amount c2 in step 2007 has a multiplication factor of "d" which is not present in step 1407 shown in FIG. In addition, P1 is, as shown in step 1407 of Figure 14. In step 2007 of FIG. 20, include a binary value representing the 2 ^m + d than 2 ^m +1. Thus, implementing the method 2000 shown in FIG. 20 provides third binary data c representing the sum of the first and second field elements of GF (p ^k ).

Of course, the order of performing the calculation shown in FIG. 20 can be changed from the order shown in FIG. 18 as described above. Other methods can be used as long as the amount of c is determined as shown in Equation 40 below. Here, a, b, c, M1, M2 and P1 are the same as already described with reference to FIG. 14.

40

This is reduced to equation 36 for the case of d = 1. This completes the discussion of the case of d ≦ p / 6 and p = 2 ^m + d with reference to FIG. 20. One of ordinary skill in the art, as described above, can demonstrate that Sp ^{+ d} is actually closed for the above drug using a method similar to the case of p = 2 ^m -d, d> 1. will be.

A typical apparatus 2100 for executing GF_p_k_ADD at p / 6 <d ≦ 2 ^m −1 in the case of p = 2 ^m + d will be described with reference to FIG. 21. This description is applicable to both single-guard-bit notation and multi-guard-bit notation. As described for the case where p = 2 ^m −d, when d is in the range given by p / 6 <d ≦ 2 ^m −1, it may be difficult to find a reasonable size set Sp that is closed under the above arithmetic operation. . However, to find such a set Sp of reasonable size, may also be used when d is given by p / 6 <d≤2 ^m -1 the method shown in Fig.

If a reasonable sized set Sp is not available for d given p / 6 <d ≦ 2 ^m −1, then by repeating the medicament similar to that performed in equation 39 for the case of p = 2 ^m −d The typical method for GF_p_k_ADD shown in FIG. 21 can be used to perform addition in GF (p ^k ). However, it is not clear that coefficients already smaller than 2 ^m cannot be made larger by this medicine. In fact, this is the real case. Knowing that h '(0) = p> 0, consider the weak function h' (z) = (z mod 2 ^m ) + pd (z div 2 ^m ). Further, at intervals p, p + 1, ..., 2 ^{m + 1} -1, the function h 'has a fixed point, i.e. h' (z) = z for all z in that interval. Therefore, the method of repeated medicine needs some modification. In this situation, the set Sp is replaced to give Sp = 0, 1, ..., 2 ^{m + 1} −1 (ie independent d). Now, m + 1 bits are needed for the storage of each coefficient, which does not include guard-bits. Addition in GF (p ^k ) may be performed according to a slightly modified modular abbreviation algorithm as reflected in FIG. 21. Specifically, step 2101 is written using c = a + b, and the notation “c” is used in steps 2103-2107, and step 2101 shown in Fig. 20, except that reassignment of the amount of c occurs in step 2109, It can be seen that 2103, 2905, 2107 and 2109 are the same as steps 2101, 2103, 2105, 2107 and 2109 respectively shown in FIG. Also, the process of determining the amounts of M1, M2 and P1 shown in FIG. 21 is the same as that shown in FIG. 20 (of course, the exact form of M1, M2 and P1 is single-guard-bit notation or multi-guard-bit notation. Whichever was used). Thus, no further discussion of steps 2101, 2103, 2105, 2107 and 2109 is necessary.

However, the method 2100 shown in FIG. 21 is modified relative to the method 1800 shown in FIG. 20 with respect to step 2111. As described with reference to FIG. 19, step 2111 is a determination step of determining which c _j (of result c) indicating an integer value is greater than 2 ^{m + 1} . If the answer is yes, repeat steps 2103, 2105, 2107, and 2109. In other words, the method 2100 shown in FIG. 21 performs the operation given by equations 41 and 42.

41, 42

It can be seen that c _j ≥ 2 ^{m + 1} is an abbreviation for determining whether a group c _j of data bits representing an integer value is larger than 2 ^{m + 1} . Therefore, the execution of the loop represented by Equation 42 is similar to that described with reference to Equation 39 and FIG. 19. The difference is that in the previous case the check can be executed by checking whether (c & M2) is zero or not. In the present case the check can be performed by checking whether (c & M7) is zero or not, where M7 is except that bit m and generally the least significant non-zero bit of any given segment of M2 are reset to zero. Then, it is new binary amount like M2. (For example, the amount of M2 shown in d of FIG. 15 is a repetitive occurrence of (1,1,0,0) as indicated by reference numeral 1511, while the amount of M7 described above provides a guard bit at an appropriate position. Will be given by the repeated occurrence of (1,0,0,0) for the test of the present case.) Those of ordinary skill in the art will appreciate the above selection of Sp and the test in equation 42. It will be readily appreciated that the condition can be used to make all the components of c smaller than 2 ^{m + 1} and eventually end the drug. This completes the discussion of the p / 6 <d <2 ^m −1 and p = 2 ^m + d cases with reference to FIG. 21.

In the discussion above with respect to FIGS. 18-21, it should be noted that the method shown herein may apply both single-guard-bit notation and multi-guard-bit notation. When multi-guard-bit notation is used, each of the first and second binary data representing the first and second field elements is each field element, rather than a single guard bit in the case for the single-guard-bit notation. It is only essential to know that it is stored as multiple guard bits located between adjacent groups of data bits that represent the coefficient of. Also, the process of determining the amounts of M1, M2 and P1 does not require modification to the multi-guard-bit notation. Of course, applying this process for multi-guard-bit notation will produce amounts of M1, M2, and P1 that are different from those that can be generated for single-guard-bit notation. In addition, separate descriptions for addition in GF (p ^k ) are provided for the case where p can be written as p = 2 ^m -d and p = 2 ^m + d, so that p = 2 ^m -d and p The above method for the case of = 2 ^m + d, where d is an integer greater than or equal to 3 and less than 2 ^m −1, m is an integer greater than or equal to 3 and p ≠ 2 ^N for any integer ^N It will be appreciated that it can be applied mainly in the case of ± 1.

Multiplication of the field elements in GF (p ^k ) for p = 2 ^m −d and p = 2 ^m + d yields p = 2 ^m − for both single-guard-bit notation and multi-guard-bit notation. This can be done using the typical form of GF_p_k_MUL already described with reference to Figures 9-12 for d. m + 1 bits (not including guard bits), p = 2 to m bits for the case of ^m -d contrary, p = 2 to display a coefficient of a field element of GF (p ^k) for the ^m -d It is only necessary to know that it is allocated to store each group of data bits. Of course, this difference should also apply to the form of the DLOG and ANTILOG tables. Where compression and decompression functions (COMP) and decompression functions (DECOMP) are available in multi-guard-bit notation, these functions use m + 1 bits rather than m bits to store each group of data bits representing field coefficients. Should be considered for assignment.

For p = 2 ^m -d, scalar multiplication (Eq. 23), doubling (Eq. 29-29), addition inversion (Eq. 30), multiplication inverse (Eq. 31) and exponent (Eq. 32) Various other operations may be performed in accordance with the present invention. In view of the foregoing discussion, one of ordinary skill in the art, using the above-described method, is able to make such a case for p = 2 ^m +1, p = 2 ^m -d, p = 2 ^m + d. It is clear that operations can also be executed. It is also clear that a hardware device as described with reference to Figures 6-8, 12, 16 and 17 can be used for the case of p = 2 ^m -d and p = 2 ^m + d. The multiplication apparatus 1200 shown in FIG. 12 does not actually need modification for use at p = 2 ^m −d and p = 2 ^m + d.

To modify the hardware device of FIG. 6 to adapt to the case of p = 2 ^m -d (d> 1), right-shift a multiplier circuit that performs multiplication (normal multiplication) by a given amount of d. It is inserted between the gate 619 and the input connection register 603, that is, at the position indicated by "**" in FIG. For Fig. 7, a homogeneous multiplication circuit is inserted between the right-shift gate 719 and the input connection register 703, i.e. at the position indicated by &quot; ** &quot; Totally similarly, in order to correct for the general case of p = 2 ^m + d, d> 1, the device shown in Figs. 16 and 17 is shown as a homogeneous multiplication circuit at the position indicated by “**” in the figure. You can modify each one.

p = 2 as with the above-mentioned efficiency for ^m + d, can be expected to improve the efficiency in the way daehaen ^{p = 2 m +1, p =} 2 m -d , and p = 2 ^m + d. For example, in addition to k = 3, the method described herein will be about 8 times faster than the conventional method (which does not include parallelism as in the present invention). For k = 8 and k = 10, the method described herein will be about 15 times faster than the conventional method.

Parallel addition of non-prime moduli

As is evident in the art, the fact that p is a prime number is actually used in any case where p = 2 ^m ± d, d ≧ 1 with the k parallel addition module. While it is important to use decimal p for multiplication in finite fields (otherwise, the group is aperiodic and no constructor / log table can be found), the addition operation is well defined and entirely similar, even if p is not prime. . Thus, in another aspect of the present invention, the typical method described above for GF_p_k_ADD is k parallel addition modulo p for any p (not prime or prime) that is close to a power of two, i.e. for p = 2m ± d. Can be used to execute. Fully similarly, the above method can be used for different p function forms depending on the sign in front of d and the magnitude of d.

Other Aspects Including Encryption and Error Correction

In another aspect of the present invention, the above method can be used in an error correction apparatus and an error correction method. The purpose of the error correction code is to allow the receiver to reproduce the original message even if the message is interrupted by an error during transmission. This is done by introducing redundancy into the message. As is well known in the art, a number of check equations are used in the error-correction code. When a message is received, the receiver may check the received data according to this equation to determine if an error has occurred, and if so, determine the error. According to this equation defining the error-correction code, it is sometimes possible to correct multiple errors.

In many cases code / equations can be constructed using finite field arithmetic. The code will consist of _N- tuples (or vectors) of the form g = g ₀ , g ₁ , ..., g _N-1 , where each g _i is in GF (q) for any q Is an element of. Of all the possible g, a relatively small set may be a valid code word. That is, if all g are allowed, it is impossible to tell whether or not an error has occurred.

Typically, each message is sent mapped to this N-valley. If a limited number of g _i is lost, the receiver recovers g to retrieve the original message. Examples of such codes are known in the art, such as Reed-Solomon codes, BCH codes and Goppa codes, which are described in “ The Theory of Error Correcting Code by Fj MaxWilliams and NJA Sloane, Elsevier Science BV, Amsterdam, 1977 ”. have. As mentioned above, this code can be used for arithmetic operations on the Wuhan field. However, in the conventional implementation of such code, a single coefficient of GF (p ^k ) uses either a binary finite field or an odd-number finite field in an inefficient conventional manner in which it operates in a hardware register. On the other hand, in the present invention, data representing the coefficients of the finite field is stored by storing binary data representing the multiple coefficients of the odd-number finite field in a single hardware register and processing the binary data representing the multiple coefficients in parallel. A method of performing error correction involving odd-number finite fields, which is processed in parallel with high efficiency.

As described previously in “ The Theory of Error Correcting Code, ” a conventional method of decoding a BCH code is described next. Field F = GF (q) is a field of q = p ⁿ elements, and w is denotes the multiplication order of q modulo N (ie, w is the minimum y such that q ^y = 1 mod ^N ). The element α in GF (q ^N ) is one of the primitive N-th roots of one. root of unity, where N is the smallest integer for α ^N = 1 in this field, where N = q ^w −1, which corresponds to the original BCH code, and N = that corresponds to the Reed-Solomon code. When q-1, an important special case occurs: The corresponding BCH code is any N-dimensional vector g = (g ₀ , g with components in GF (q) satisfying the matrix-vector equation Hg ^T = 0. ₁ , ..., g _N-1 ).

(43)

Where T represents the transpose and D is some value between 1 and N-1. This description is related to the BCH code in a narrow sense and is not the most general form.

In an aspect of the present invention, a typical error-correction apparatus 2200 is provided as shown in the block diagram of FIG. The apparatus 2200 may include an input element 2201 (which may be an input / output element, for example) that receives a signal for displaying an allowed code word of an error correction code, and a processor 2203 programmed for error correction. ). The apparatus 2200 can be accessed by the processor 2203 (eg, to obtain a computer program that allows the processor to execute the steps of the methods described herein) and is provided by a processor. It also includes memory for storing data (for example, calculation results). The signal may be binary data or an analog signal that is converted into binary data by the input / output unit 2201 (for example, mapping by a mapping element). As used herein, the term "binary data to represent allowed code words" is intended to include both of these possibilities.

The processing unit 2203 may be any suitable processing unit that executes the method described herein, and the input / output unit 22 may be any suitable interface or element for input / output data. For example, the processing unit 2203 may be a processing unit of a conventional computer, and the input / output element 2201 may be a conventional modem. As another example, the processing unit 2203 may be a processing unit of a portable device such as a mobile phone or a personal portable terminal, and the input / output device 2201 may be a wireless transceiver. As another example, the processing unit 2203 may be a processing unit of a compact disc (CD) player or a digital video disc (DVD) player, and the input / output element receives a signal from a laser beam modulated by the CD or DVD and receives the corresponding electric signal. It may be an optical signal receiver for outputting.

The processor is programmed to correct errors in binary data, where the allowed code words are N-valley field elements of GF (p ^{l k} ). The finite field GF (p ^{l k} ) is an extension field of the base field GF (p ^k ), where p is an odd number and the field element of GF (p ^k ) contains the k basis coefficients. Part of the binary data comprises k groups of data bits, and indicates a field element of GF (p ^k), wherein the field GF (p ^k) having the k base coefficients in accordance with a polynomial basis notation, each group of data bits, k Displays the corresponding one of the base coefficients. A portion of the binary data is stored in a register, and the processing unit processes the portion of the binary data such that k groups of data bits are processed in parallel using, for example, the arithmetic operations described above. This will be described in more detail below.

In particular, the error-correction apparatus 2200 may be programmed for error correction according to the present invention using the typical method 2300 shown in FIG. For example, the method 2300 may be executed to decode the BCH code, applying the calculation method of the present invention described above to the matrix formula for error correction described above with reference to equation 50. The method 2300 is based on the received binary data g '= (g' ₀ , g ' ₁ , ..., g' _N-1 ), which attempts to indicate an allowed code word. ) Can be corrected.

First, as in step 2301 of FIG. 23, the error-correction apparatus receives binary data for indicating an allowed code word of an error correction code, where the allowed code word is an N- ^number of GF (p ^{l k} ). Is a field element of, and p is an odd number. In other words, each allowed code word consists of N fields of GF (p ^{l k} ). Binary data may be received directly or may be converted from an analog signal as described above. In addition, each field element of GF (p ^{l k} ) may be considered to include the l primary coefficient according to the polynomial basis notation, where each major coefficient is a field of GF (p ^k ) with k basis coefficients. Element. Binary data to represent an allowed code word can be viewed as containing N collections of data bits, where each collection of data bits contains l segments of data bits, and each segment of data bits is l. Indicates one of the major coefficients. Further, each segment of data bits may be viewed as including a k group of data bits, where each group of data bits represents a corresponding one of the k basis coefficients.

As shown in step 2303, the error-correcting device 2200 calculates a syndrome based on the received binary data, where it corresponds to a given portion of the binary data (e.g., one of the l major coefficients, A segment of a given data bit) is stored in a register where k groups of data bits of the given portion of binary data are processed in parallel. In particular, for the example of the matrix formula described above (relative to the BCH code) with reference to equation 43, the syndrome can be calculated as follows. The transmitted binary data g = (g ₀ , g ₁ , ..., g _N-1 ) (or the transmitted signal corresponding to this binary data) is binary data g '= (g' ₀ , g ' ₁ ,. .., g ' _N-1 ). Set the error position in binary data g 'to its index j for g' _j ≠ g _j , and set the error value in GF (p ^{l k} ) to satisfy g ' _j = g _j + e _j . Leave the value e _j . Finally, for convenience, let η ^j = α ^j where α ^j is the j square of α (calculated in the field). In relation to the matrix 43 described above, the syndrome S can be calculated according to the following relationship.

(44)

Where S = (S ₁ , S ₂ , ..., S _d-1 ). g 'component g of the' _j is an element in GF (p ^{l k),} the syndrome entries S _i is an element of GF (p ^{Nl k),} where the GF (p ^{Nl k)} is GF (p ^{l k)} Extension field. In the case of calculating syndrome S according to equation 44, an arithmetic operation must be performed in field GF (p ^k ). As noted above, each of the l segments of data bits includes k groups of data bits, and each group of data bits represents a corresponding one of the k basis coefficients. As reflected in step 2303, the syndrome is calculated such that the k groups of data bits stored in the registers are processed in parallel using, for example, the typical execution of GF_p_k_ADD and GF_p_k_MUL, as well as any other necessary operations described above.

Next, as shown in step 2305, it is determined whether the syndrome S is equal to zero, that is, whether S = 0 = (0, 0, ..., 0). If S = 0 no error occurs and the procedure skips to step 2309, where it is determined whether there is more data to be processed. If S ≠ 0, the procedure proceeds to step 2307 where an error is detected.

As shown in step 2307, the error-correction apparatus detects an error in an error-containing portion of the binary data (e.g., an error-containing segment of data bits) based on the syndrome, and the binary data. Process k groups of data bits of the error-bearing portion of in parallel to correct errors in the error-bearing portion of binary data. This process is repeated for all error-bearing portions of binary data. For example, with respect to the matrix formula of equation 44 associated with the BCH code, assuming that an r error occurs, equation 45 below must be satisfied for each j, where 0 ≦ j ≦ d−1. For some e _i (error values) in GF (p ^{l k} )

(45)

And η _ik belong to the set η ₀ , ..., η _n-1 (error position).

Further, when determining the error value according to this example, of the following equation system has a unique solution for the τ _i values and the maximum number r must be determined, these τ _i to be determined (here r is damaged in g ' Number of indexes).

(46)

Where 0 ≦ j ≦ r−1. This can be achieved, for example, using the Berlekamp-Massey algorithm, which is known in the art and described above in “ The Theory Of Error Correcting Codes. ” At this time, an error-locator of order r -locator), which has the form

(47)

Where τ ₀ = 1, which determines the error location. By equation 47, the given j (0≤j≤r-1) is the error position only if s (η _j ^-1 ) = 0, which in turn equates each s (x) by Horner's evaluation rule for polynomials. The evaluation rules of Horner are known in the art and are described, for example, in the above-mentioned " Semiumerical Algorithms , Vol. 2 of The Art of Computer Programming ". Calculations include addition and multiplication of order r in GF (p ^{l k} ), which, as described above, provides a typical method for SUM (α, β), PRODUCT (α, β), GF_p_k_ADD and GF_p_k_MUL according to the present invention. Can be run using

At this time, η _j found as described above is introduced into the equation defined by equation 45 to find the error value e _i and solve it. For location j where no error occurs, the value e _j is defined as e _j = 0. Next, the error is corrected according to the relation g = g'-e, where e = (e ₀ , e ₁ , ..., e _N-1 ). That is, for each j between 0 and N-1, the amount of g _j is determined according to _{g j = g 'j -e j} . Subsequent steps are accomplished by performing N subtraction in GF (p ^{l k} ). At this point, step 2307 is that error correction involving the BCH code is completed for typical processing.

As in step 2309 shown in Fig. 23, it is determined whether there is more data to be processed. That is, it is determined whether or not binary data for indicating an allowed code word should be received and processed. If there is more data to be processed, the procedure returns to step 2301. If there is no more data to be processed, the procedure ends.

In another aspect of the invention, the arithmetic methods of the invention described above, including but not limited to GF_p_k_ADD, GF_p_k_MUL, and typical methods for exponents, include, for example, cryptography in elliptic curves and cryptography in key exchange. Can be used as a law. Cryptography using elliptic curves is well known in the art. For example, a method of encrypting plaintext in an elliptic curve is described, for example, in US Pat. No. 6,307,935 (Method and apparatus for fast elliptic encryption with direct embedding), the entire contents of which are incorporated herein by reference. Included. Also described in US Pat. No. 6,122,736 (Key agreement and transport protocol with implicit signatures) for key agreement and transport protocols that can use elliptic curves, the entire contents of which are incorporated herein by reference. do. A public key protocol that can use an elliptic curve is also described in US Pat. No. 5,933,504 (Strengthened public key protocol), the entire contents of which are incorporated herein by reference. Also described in US Patent No. 5,159,632 (Method and apparatus for public key exchange in a cryptographic system) is described for carrying out a key exchange comprising an elliptic curve, the entire contents of which are incorporated herein by reference. However, US Pat. Nos. 6,307,935, 6,122736, 5,933,504 and 5,159,632 describe, as noted herein, storing binary data representing multiple field-element coefficients in a single register and processing such binary data in parallel. Not.

Some aspects of the elliptic curve will be described. For two elements α and β in finite fields F and F, an elliptic curve for F can be considered (unofficially) in the set of points (x, y) at FxF satisfying the following equation.

(48)

There is also a point O at infinity that is conceptually thought to be raised "indefinitely" on the y-axis. These points form an Abelian group under the group “add” operation, denoted by ⓧ. This group addition operation is defined in terms of arithmetic operations in the underlying field F, as known in the art. Thus, in accordance with the present invention, the backing field may be selected to be an odd-numbered finite field GF (p ^k ) (or an extension thereof), the typical arithmetic method described above including, but not limited to, GF_p_k_ADD and GF_p_k_MUL and exponents, It can be used to increase computational efficiency in the computation of cryptography that implements elliptic-curve groups for odd-number finite field GF (p ^k ).

For example, if g is a point on this elliptic curve, g is combined with itself x times under the power operation, and is given as:

(49)

The operation of equation 49 can be thought of as an exponent, where z = gx. In the remainder of the description, the synthesis of a group operation with its own that operates x times for g is denoted by g ^x . From the above relationship, it will always be clear if this operation is finite field multiplication, or elliptic curve point addition. Thus, in the case of elliptic curves, this creates a special case of the discrete log problem mentioned above. The current technology is of particular interest for cryptography because it suggests that elliptic curve versions of discrete logs can be more difficult to solve than other settings.

According to an aspect of the present invention, there is provided an encryption apparatus including a key source and an odd-number finite field encryption unit coupled with a key source used in the encryption system, such as the typical encryption system shown in Fig. 24A. The cryptographic apparatus is configured to perform an encryption calculation comprising the field GF (p ^k ) (p is an odd number) and may use single-guard-bit notation or multi-guard-bit notation. An exemplary encryption system according to the present invention is described with reference to FIG. 24A.

FIG. 24A is a functional block diagram illustrating an encryption system 2400, which illustrates an encryption system 2400 for a first encryption device 2401, a second encryption device 2403, and an insecure channel 2417. As shown in FIG. A first transceiver 2405 that transmits and receives ciphertext, and a second transceiver 2407 that transmits and receives cyphertext for unstable channel 2417. Assume that an eavesdropper 2419 can monitor communication for the unstable channel 2417. The first encryption device 2401 includes a first key source 2409 and a first odd-number finite-field encryption unit 2411 (hereinafter referred to as a first FFCU) that encrypts and decrypts a message. For example, one or both of the first key source 2409 and the first FFCU 2411 may be realized using one or more processing units of a portable element such as a conventional computer or mobile phone. In addition, the first encryption device 2401 can be accessed by the FFCU 2411 (to obtain a computer program that allows the FFCU 2411 to execute the steps of the encryption method described herein), and the FFCU 2411 It may also include a memory capable of storing binary data (e.g., calculation results) provided by &lt; RTI ID = 0.0 &gt;

The second encryption device 2403 includes a second key source 2413 and a second odd-number finite-field encryption unit 2415 (hereafter referred to as a second FFCU) for encrypting and decrypting messages. , &Quot; first &quot; and &quot; second &quot; are used only to distinguish the first encryption device 2401 from the second encryption device 2403).

For example, one or both of the second key source 2413 and the second FFCU 2415 may be realized using one or more processing units of a portable element such as a conventional computer or mobile phone. In addition, the second encryption device 2403 can be accessed by the FFCU 2415 (to obtain a computer program that allows the FFCU 2415 to execute the steps of the encryption method described herein), and the FFCU 2415 It may also include a memory capable of storing binary data (e.g., calculation results) provided by &lt; RTI ID = 0.0 &gt; In addition, the first and second key sources 2409 and 2413 may include a random number generator.

As described above, the first encryption apparatus 2401 includes a first key source 2409 and a first odd-number finite-field encryption unit (FFCU) 2411 coupled with the key source. In one aspect of the invention, the FFCU 2411 (or FFCU 2415) may be configured to perform the steps of the typical encryption method 2450 shown in the flow chart of FIG. 24B. The method 2450 stores binary data representing at least a portion of the field elements of the odd-number finite field GF (p ^k ) in a register (e.g., an internal register of the processing portion used to realize FFCU 2411). Where p is an odd number (step 2451). The field elements contain k coefficients according to polynomial-based notation, and the binary data includes multiple groups of data bits, where each group of data bits represents an associated one of the k coefficients. The method includes multiple groups processing binary data according to an encryption algorithm such that data bits are processed in parallel (step 2453).

Regarding the typical operation of the encryption system 2400 shown in FIG. 24A and the typical encryption method 2450 shown in FIG. 24B, further details will be described. This description will be tailored if the message is sent from the first cryptographic device 2401 and received by the second cryptographic device 2403, but the above description begins with the second cryptographic device 2403 and the first encryption. The same applies to the situation received by the device 2401.

Each of the first communicator and the second communicator has a secure key. In one aspect, a security key can be generated by key exchange in accordance with the present invention. In this regard, the binary data may be key data, and the encryption algorithm may be a key exchange algorithm as described below with reference to FIG. Therefore, the security key can be exchanged through the insecure channel 2417. Alternatively, in another typical aspect, each of the communicators may have a pair of public key / private key, where each public machine's public key is a different communicator for the public channel. Make it available. In this regard, the binary data may be message data, and the encryption algorithm may be a public key encryption algorithm used to encrypt / decrypt message data, as described below with reference to FIG. 26. .

As shown in FIG. 24A, a security key generated by a key exchange or a public key may be provided from the key source 2409 to the first FFCU 2411 of the first encryption device 2401. Plaintext P is provided to the first FFCU 2411, and using the appropriate encryption algorithm, the plaintext is encrypted by the first FFCU 2411 to produce a ciphertext (C). The encryption algorithm is matched in advance by the first and second communicators, and the key from the key source 2409 can be configured appropriately for the encryption algorithm. If the key exchange according to the present invention is used to generate a security key, the encryption algorithm used to encrypt the plaintext may be a suitable encryption algorithm, for example DES or RSA. If a pair of public / private keys are used, an encryption algorithm for encrypting the plaintext may be used for public-key encryption or the method 2450 shown in FIG. 24B as described below with reference to FIGS. 26, 27, and 28. It can be a suitable encryption algorithm that can be realized accordingly.

Cyphertext C is provided to a transceiver 2405 (eg, a network interface, modem, or wireless transmitter / receiver) that transmits cyphertext C to transceiver 92407 over unsafe channel 2417.

The cyphertext is provided to the second FFCU 2415 of the second encryption device 2403. According to the decryption algorithm corresponding to the encryption algorithm matched by the first and second communicators, the second FFCU 2415 decrypts the ciphertext. The decryption algorithm uses a key from the key source 2413 associated with the decryption. The key is, for example, a key generated using a key exchange or a private key corresponding to the public key used for encryption. Further exemplary embodiments in accordance with the present invention in conjunction with FIGS. 24A and 23B are described.

In one aspect of the invention, binary data stored in a register represents all k coefficient field elements. Further, multiple groups of data bits such that at least one guard bit is located adjacent to the most significant bit of each group of data bits, and each group of data bits is separated from an adjacent group of data bits by the corresponding at least one guard bit. Can be stored in a register. One guard bit (single-guard-bit notation) or multiple guard bits (multi-guard-bit notation) may be located adjacent to the most significant bit of each group of data bits. An initial value of zero may be assigned to each of the at least one guard bit.

In one aspect of the present invention, cryptographic apparatus 2401 (and / or 2403) uses a calculation comprising an odd-number finite field GF (p ^k ) to perform key exchange as an example of cryptographic method 2450. You can run This key exchange can be performed using single-guard-bit notation or multi-guard-bit notation. An exemplary method of key exchange according to the present invention, which is implemented using, for example, encryption system 2400, is described with reference to FIGS. 24A and 25. FIG.

The first communicator with the first cryptographic device 2401 and the second communicator with the second cryptographic device 2403 want to communicate securely over the unsafe channel 2417 so that the eavesdropper cannot decrypt the transmission. Thus, the first and second communicators must first match for encryption keys, such as authentication. Such a key can be generated using Diffie-Hellman key exchange that is adapted for the finite-field for GF (p ^k ) according to the present invention. Conventional Diffie-Hellman key exchanges are described in US Pat. No. 4,200,770 to Cryptographic apparatus and method, the entire contents of which are incorporated herein by reference. Also, as noted above, conventional key exchange for elliptic curves is described in US Pat. No. 5,159,632, which is already incorporated herein.

The first and second communicators match for g, where g is a point on an elliptic curve for an element of a finite field or F, and F is an extension of the hole-index finite field GF (p ^k ) or GF (p ^k ) Field, p is odd. In practice, g produces a group that performs the calculation, i. For example, if g is selected as the point on the elliptic curve for F, the group can be viewed as an elliptic curve group defined for F. If g is selected as an element of F, the group can be viewed as a conventional multiplication group for the finite field F. In either case, the amount of g should be chosen such that the minimum integer x (where g ^x = 1) is large enough to provide sufficient security (“1” is the identity element in the group). For example, this binary notation of integer x requires that the computational capacity of current generation processors be at least 160 bits in size. This minimum integer (x) can be written as | G | (size of the group). Sufficient security in this regard means that the exponent is safe in that discrete algebraic problems are difficult to deal with (ie, computationally impractical).

To generate the key, the number xA is generated (step 2501) by the key source 2409 of the first encryption unit 2401 coupled to the first communicator and provided to the first FFCU 2411. As is commonly known in the art, the number xA can be, for example, a randomly or pseudorandomly generated integer. The number xA is not intended to be shared with other communicators and in this respect can be considered a password. In this context, integers may be understood to include both integers stored as floating-point decimals, as well as integers stored as integers. The first FFCU 2411 generates yA and sends it through the unsafe channel 2417 to the second encryption unit 2403 coupled with the second communicator (where yA = g ^xA (step 2503)). As noted above, g can be an element of a finite field F or a point on an elliptic curve for F, where F is an extension of the hole-index finite field GF (p ^k ) or GF (p ^k ), and p is a hole Prime number. The amount of g includes a plurality of first basis coefficients, where the first basis coefficient is an element of GF (p). For example, if g is selected as an element of GF (· p ^k ), g includes the k first basis coefficient which is an element of GF (p). If g is selected as an element of the extended field GF (p ^{l k} ), g includes the l · k first basis coefficient which is an element of GF (p). If g is chosen as the point on the elliptic curve for GF (p ^k ), g contains the 2 · k first basis coefficients, which are elements of GF (p), which are both elements of GF (p ^k ) Because it is represented by a pair of quantities. Similarly, if g is selected as the point on the elliptic curve for GF (p ^{l k} ), g includes the 2 · l · k basis coefficient which is an element of GF (p).

Storing the first group of first data bits indicative of at least some of the plurality of first basis coefficients of g in the first register and processing the multiple groups of first data bits in parallel to produce yA, thereby providing a first FFCU ( 2411 executes the calculation of yA (step 2503). At least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is from an adjacent group of first data bits by at least one first guard bit corresponding thereto. To be separated, multiple groups of first data bits may be stored in the first register. The first guard bit may be located adjacent to the most significant bit of each group of first data bits (ie, single-guard-bit notation), or multiple first guard bits may be the most significant bit of each group of first data bits. It may be located adjacent to (ie, multi-guard-bit notation). An initial value of zero is assigned to each first guard bit. Calculation of yA can be performed using the exponential function mentioned in equation 32 so that multiple groups of first data bits are processed in parallel in the manner described above. Equation 32 has been described with respect to p in the form of p = 2 ^m −1, but as described above, Equation 32 is also applicable to p in the form of p = 2 ^m +1 and p = 2 ^m ± d. Depending on the hardware register size and the number of first base coefficients that g includes, it is possible to store multiple groups of first data bits representing all base coefficients of g in a single register.

Similarly, the number xB (e.g., a randomly or pseudorandomly generated integer) is independently generated by the second key source 2413 of the second encrypting unit 2403 coupled to the second communicator, so that the second Provided to FFCU 2415. The number xB is not intended to be shared with other communicators, and in this respect can be considered a password. The second FFCU 2415 calculates yB and sends yB = g ^xB to the first encryption unit 2401 through the unsafe channel 2417. Multiple of first data bits representing at least some of g's multiple first basis coefficients in either single-guard-bit notation or multi-guard-bit notation such that multiple groups of data bits are processed in parallel in the manner described above. By storing the group in a register and using the exponential function mentioned in equation 32, the second FFCU 2415 can perform the calculation of yB.

The first FFCU 2411 receives an amount of yB, where yB includes a plurality of second basis coefficients, and the second basis coefficients are elements of GF (p) (step 2505). The FFCU 2411 stores multiple groups of second data bits indicative of at least some of the plurality of second basis coefficients of yB in a second register, and processes multiple groups of second data bits in parallel so that K = (yB ^xA is calculated (step 2507). The second FFCU 2415 calculates the same value K in accordance with K = (yB) ^xA . This calculation can also be performed using the exponential function mentioned in equation 32, where multiple groups of data bits representing the basis coefficients (elements of GF (p)) of yB and yA are processed in parallel, respectively. Under the above assumption, only the first and second communicators calculate K, and the first and second communicators can use K (or a function thereof) as a key. By adapting the above described Diffie-Hellman key exchange to another group defined for GF (p ^k ) using elliptic curves or single-guard-bit notation or multi-guard-bit notation, the present invention provides a Compared to the conventional method, this may result in increased computational efficiency, or increased security for the same computational effort.

By generating a security key K in accordance with the key exchange algorithm described above, the first and second communicators use the key in combination with the first and second FFCUs 2411 and 2415 to encrypt and decrypt the exchanged messages. The encryption / decryption algorithm in this regard may be, for example, a conventional encryption method such as RSA or DES known in the art or any other suitable encryption algorithm.

The first encryption device 2401 and the second encryption device 2403 have been described as including finite-field encryption units and key sources, respectively. The first finite-field encryption unit 2411 and the first key source 2409 of the first encryption apparatus 2401 may be realized using a memory and a processing unit coupled to the memory. In other words, the first encryption apparatus 2410 may include a memory and a processing unit coupled with the memory, where the processing unit may be configured to execute the above steps for the first encryption unit. Similarly, the second encryption device may comprise a memory and a processing unit coupled with the memory, where the processing unit of the second encryption device may be configured to perform the above steps for the second encryption unit.

Of course, a typical aspect of the present invention described above is to store some or all of the field elements in a single register (or store some or all of the amounts representing points on an elliptic curve for F in a single register), single or The use of multiple guard bits may include, but is not limited to, selection of various functional forms of p, etc., in the exemplary method 2500 shown in FIG.

In another aspect of the present invention, a public key encryption method is provided as another example of the encryption method 2450. An exemplary method of public key encryption 2600 in accordance with the present invention is described with reference to FIGS. 24A and 26. The typical method 2600 corresponds to the adaptation of ElGamal public key encryption and decryption according to the present invention. Each of the encryption apparatuses 2401 and 2403 shown in Fig. 24A can be realized using a memory and a processing unit coupled to the memory, where each processing unit executes steps associated with that encryption apparatus.

In the typical method 2600, the second communicator obtains the public key yA associated with the first communicator, where yA = g ^xA and xA is the private key of the first communicator (step 2601). For example, the second communicator may receive a transmission including the public key and the quantity of the first communicator, or the second communicator may use the quantity from a directory in which the public key and the information of the first communicator are published. You can look up. The amount of g is an element of the finite field F or a point on an elliptic curve for F, where F is an odd-number finite field GF (p ^k ) or an extended field of GF (p ^k ), and p is an odd number. For the F to be used and for a particular choice as to whether an elliptic curve is used or whether the first communicator can publish this information in a list according to the public key yA and the amount, the first and second communicators can match in advance. have. The yA amount includes a plurality of first basis coefficients, the amount of g includes a plurality of second basis coefficients, and the first and second basis coefficients are elements of GF (p). The first communicator generates the public key yA = g ^xA using the first encryption apparatus 2401. As can be commonly understood in the art, the private key xA of the first communicator can be a random or pseudo randomly generated integer and is not intended to be shared with other communicators. In this regard, the FFCU 2411 associated with the first communicator can store multiple groups of data bits representing coefficients of g in registers, combined with single-guard-bit notation or multi-guard-bit notation. The exponential operation mentioned in Eq. 32 can be used to process yA by processing multiple groups of data bits in parallel. As described above, the public key yA of the first communicator may be disclosed in the list, but the first communicator is intended to keep the xA amount (private key) secret.

The second communicator generates a number r (e.g., uses a random number generator or pseudo random number generator, which may be included in the key source 2413), and uses the FFCU 2415 (e.g., a processing unit) to pair (u, v) = (g ^r , f ^-1 (P) * (yA) ^r ), where P represents the plaintext message in the plaintext message set, and f is the vector for F in the plaintext message set. A mapping function that maps at least a portion of the space, and * denotes an appropriate binary operation in vector space for F (step 2603). For further explanation regarding the vector space and operation * for the mapping functions f, F, see FIG. 27 (if g is an element of f) and FIG. 28 (if g is a point on an elliptic curve for F) below. Explain.

As generally understood in the art, the number r may be an integer generated randomly or pseudorandomly. The number r is not intended to be shared with other communicators, and in this respect can be considered a password. To calculate the amount of v, multiple groups of first data bits representing at least a portion of the plurality of first basis coefficients of y A are stored in a first register and processed in parallel. At least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits from an adjacent group of first data bits is defined by the corresponding at least one first guard bit. To be separated, multiple groups of first data bits can be stored in the first resist. In other words, either single-guard-bit notation or multi-guard-bit notation can be used. An initial value of zero may be assigned to each first guard bit. When g is selected as an element of F, the exponent of yA may be performed according to Equation 32 described above. If g is selected as the point on the elliptic curve for F, then (yA) the exponent associated with ^r and g ^xA is denoted by r-fold (or ^xA -fold) elliptic-curve point addition. do.

The first and second communicators match in advance for the set of plaintext messages to be used in the communication between them. The function f is a mapping function that maps at least a portion of the vector space for F to a plaintext message set, and the first and second communicators match in advance for the mapping function f. For example, a plaintext message set may consist of words, sentences, and / or individual characters, and each plaintext message may be encoded as an integer.

The amount of g will create a group in which encryption calculations are performed, the nature of the group depends on the choice of g. It will also be appreciated by one of ordinary skill in the art that the choice of g (or group) also affects the dimension of the vector space for F. The characteristics of the group also affect how the exponent is performed in step 2603 and affect the choice of binary operation *. For example, the group generated by g may be a finite field F, in which case the vector space becomes a one-dimensional vector space corresponding to F, and the operation * is a multiplication in F. Alternatively, the group generated by g may be a subgroup of the finite field F, in which case the vector space becomes a one-dimensional vector space corresponding to F, and * is again a multiplication in F. Alternatively, the group generated by g may be an elliptic curve group for F, and the operation * is an elliptic-curve point addition or component unit in FxF, as described in detail with reference to FIG. wise) multiplication. In the latter case, the vector space for F can be chosen according to two options. In a first choice, the vector space for F may be a two-dimensional vector space corresponding to FxF, where "x" denotes a Cartesian product. In a second choice, the vector space may be a three-dimensional vector space for F, in which projective coordinates are used in relation to the elliptic curve groups known in the art. To the extent that the group created by g can be made smaller than any of the vector spaces described above, f may be sufficient to map only a portion of the vector space for F to a set of plaintext messages.

Therefore, the amount of g should be chosen so that the size of the group created by g is equal to or larger than the plaintext message set. In addition, it is assumed that g amount and yA that are assumed to be publicly available are selected such that it is computationally impossible to determine xA from yA and g. Other considerations, including the relationship between security and the size of the group created by g, are evident in the art in view of the nature of the previously published ElGamal public key cryptosystem, for example the Handbook of Applied mentioned above. It is described in Cryptography . For example, a method of selecting the size of a group used in a conventional ElGamal public key cryptosystem is known in the art. Alternatively, methods of approximating the size of a group based on a given choice of constructor are also known in the art. This aspect is also applicable to the method 2600 described above in accordance with the present invention.

The mapping function f must be chosen such that each element of the group produced by g corresponds to a different plaintext message. In other words, the mapping function f may be uniquely inevitable. Alternatively, if the group generated by g is larger than the plaintext message set, the mapping function f may be selected such that one or more elements of the group generated by p combine with the same plaintext message. If the plaintext message is encoded as an integer, the mapping such that f is an almost injective mapping (injective mapping) from the group produced by g to the set of integers 0, 1, 2, ..., Q-1. Function f may be selected. Where Q ≒ | G | (| G | is the size of the group). For example, this can be essentially identity mapping. The choice of a given mapping function f is within the scope of one of ordinary skill in the art, in light of the above findings.

The second communicator sends a pair of (u, v) quantities to the first communicator via unsafe channel 2417 (step 2605). The (u, v) amount of the pair corresponds to an encrypted version of the plaintext message.

In addition, by storing multiple groups of second data bits representing at least a portion of g's plurality of second basis coefficients in a second register and processing the multiple groups of second data bits in parallel, the calculation of the amount of u is performed in a second manner. It can be executed by a communicator. In this regard, either single-guard-bit notation or multi-guard-bit notation can be used. The calculation of g ^xA (to calculate u) can be performed using exponents according to equation 32 or using xA-fold elliptic-curve point addition depending on the choice for g. g, u and v amount may be an element of the finite field F, where F may be selected as an extension field of a ^(k p) or GF GF (p ^k). Alternatively, the g, u and v amounts may be points on an elliptic curve for F.

The first communicator can decode the received (u, v) amount of the pair, so that by calculating P = f (u ^-xA * v) where u ^-xA * v = v / u ^xA , the plaintext message (P), where "/" indicates the inverse of operation * (step 2607). According to the exponential function of equation 32 or according to the appropriate xA-fold elliptic-curve point addition, the u ^xA amount can be calculated by the first FFCU 2411. As noted above with respect to key exchange, this calculation can be performed using single-guard-bit notation or multi-guard-bit notation. Assume that only the first communicator, who knows xA, can decrypt this message. By implementing the aforementioned adaptation of ElGamal public key cryptography using single-guard-bit notation or multi-guard-bit notation, the present invention provides increased computational efficiency compared to the conventional method, which is increased compared to the prior art. It will appear either as speed or as increased security for the same computational effort.

Of course, storing some or all of the field elements in a single register (or storing some or all amounts representing points on an elliptic curve for F), using single or multiple guard bits, various functional forms of p Typical aspects of the present invention described above, including, but not limited to, selection of and the like, can be applied to the exemplary method 2600 shown in FIG. 26.

A typical implementation of the method 2600 will now be described with reference to Figures 27 (when g is the cause of F) and 28 (when g is the point on the elliptic curve for F). 27 is a flow diagram for an exemplary method 2700 of public key encryption. In the typical method 2700, the second communicator obtains the public key yA associated with the first communicator, where yA = g ^xA and xA is the private key of the first communicator (step 2701). For example, the second communicator may receive a transmission including the public key and quantity of the first communicator, or the second communicator may retrieve the public key and quantity of the first communicator from a list from which this information is published. You can look up. The amount of g is an element of the finite field F, where F is an odd-number finite field GF (p ^k ) or an extended field of GF (p ^k ), and p is an odd number. The first and second communicators may agree on a particular choice for F used in advance, or the first communicator may publish this information in the list according to the public key and g. The amount yA includes a plurality of first basis coefficients, the amount of g includes a plurality of second basis coefficients, and the first and second basis coefficients are elements of GF (p). The first communicator may generate the public key yA = g ^xA using the first encryption apparatus 2401. The private key xA of the first communicator is generally understood in the art, and may be an integer generated randomly or pseudorandomly, and is not intended for sharing with other communicators. In this regard, the FFCU 2411 associated with the first communicator can store multiple groups of data bits representing coefficients of g in registers, combined with single-guard-bit notation or multi-guard-bit notation The exponential operation mentioned in 32 can be used to process yA by processing multiple groups of data bits in parallel. As described above, the public key yA of the first communicator may be disclosed in the list, but the first communicator is intended to keep the xA amount (private key) secret.

The second communicator generates a number r (e.g., uses a random number generator or pseudo random number generator, which may be included in the key source 2413), and uses the FFCU 2415 (e.g., a processing unit) to pair (u, v) = (g ^r , f ^-1 (P) * (yA) ^r ), where * denotes the multiplication in F and P denotes the plaintext message of the plaintext message set (step 2703) ). As generally understood in the art, the number r may be an integer generated randomly or pseudorandomly. The number r is not intended to be shared with other communicators, and in this respect can be considered a password. To calculate the amount of v, multiple groups of first data bits representing at least a portion of the plurality of first basis coefficients of y A are stored in a first register and processed in parallel. At least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits from an adjacent group of first data bits is defined by the corresponding at least one first guard bit. To be separated, multiple groups of first data bits can be stored in the first resist. In other words, either single-guard-bit notation or multi-guard-bit notation can be used. An initial value of zero may be assigned to each first guard bit. In addition, the index of yA may be implemented according to Equation 32 described above.

The first and second communicators match in advance for the set of plaintext messages to be used in the communication between them. The function f is a mapping function that maps at least a portion of F to a plaintext message set, and the first and second communicators match in advance with the mapping function f. For example, a plaintext message set may consist of words, sentences, and / or individual characters, and each plaintext message may be encoded as an integer. g will create a group in which encryption calculations are performed. Such a group may be a multiplication group of the finite field F or a subgroup of the multiplication group according to the selection of g. To the extent that the group created by g can be made smaller than any of the vector spaces described above, f may be sufficient to map only a portion of the vector space for F to a set of plaintext messages.

Therefore, the amount of g should be chosen so that the size of the group created by g is equal to or larger than the plaintext message set. It is also assumed that the g and yA amounts that are assumed to be publicly available are chosen such that it is computationally impossible to determine xA from yA and g. Other considerations, including the relationship between security and the size of the group created by g, are evident in the art in view of the nature of the previously published ElGamal public key cryptosystem, for example the Handbook of Applied mentioned above. It is described in Cryptography . For example, a method of selecting the size of a group used in a conventional ElGamal public key cryptosystem is known in the art. Alternatively, methods of approximating the size of a group based on a given choice of constructor are also known in the art. This aspect is also applicable to the method 2600 described above in accordance with the present invention.

The mapping function f must be chosen such that each element of the group produced by g corresponds to a different plaintext message. In other words, the mapping function f may be uniquely inevitable. Alternatively, if the group generated by g is larger than the plaintext message set, the mapping function f may be selected such that one or more elements of the group generated by p combine with the same plaintext message. If the plaintext message is encoded as an integer, the mapping function f such that f is an almost injective mapping from the group produced by g to the set of integers 0, 1, 2, ..., Q-1. ) May be selected. Where Q ≒ | G | (| G | is the size of the group). For example, this can be essentially identity mapping. The choice of a given mapping function f is within the scope of one of ordinary skill in the art, in light of the above findings.

The second communicator sends a pair of (u, v) quantities to the first communicator via unsafe channel 2417 (step 2705). The amount of (u, v) of the pair corresponds to an encrypted version of the plaintext message.

In addition, by storing multiple groups of second data bits representing at least a portion of g's plurality of second basis coefficients in a second register and processing the multiple groups of second data bits in parallel, the calculation of the amount of u is performed in a second manner. It can be executed by a communicator. In this regard, either single-guard-bit notation or multi-guard-bit notation can be used, and the exponent of g (to calculate u) can be implemented using Eq 32 above. g, u and v amount may be an element of the finite field F, where F may be selected as an extension field of a ^(k p) or GF GF (p ^k).

The first communicator can decode the received (u, v) amount of the pair, so that by calculating P = f (u ^-xA * v) where u ^-xA * v = v / u ^xA , the plaintext message (P), where “/” denotes division in F (step 2707). Performing division in F is within the scope of one of ordinary skill in the art, so no further discussion is required. As described above in connection with the key exchange, the amount of u ^xA can be calculated by the first FFCU 2411 by applying the exponential function of equation 32, using single-guard-bit notation or multi-guard-bit notation. . Assume that only the first communicator, who knows xA, can decrypt this message. By performing the adaptation of ElGamal public key cryptography described above to the group or field itself defined for GF (p ^k ) using single-guard-bit notation or multi-guard-bit notation, the present invention provides a conventional method. It provides increased computational efficiency compared to, which will appear as either increased speed compared to the prior art or increased security for the same computational effort.

Of course, storing some or all of the field elements in a single register (or storing some or all amounts representing points on an elliptic curve for GF (p ^k )), using single or multiple guard bits, p Typical aspects of the present invention described above, including but not limited to, selection of various functional forms of a, may be applied to the exemplary method 2700 shown in FIG.

The public key encryption method 2700 described above may be modified in accordance with the present invention to implement using an elliptic curve for F, where F is as described above. An exemplary method 2800 of public key cryptography is described with reference to FIG. Indeed, this process is entirely similar to that described in connection with FIG. 27, so that the discussion is omitted here and the differences are mainly discussed. The first and second communicators are assumed to have been matched for the elliptic curve group, or the description for the group to be used is assumed to be transmitted between the communicators. This can be done, for example, as a preamble to the actual message. In the method 2800, step 2801 is entirely similar to step 2701 described above, except that g is a point on an elliptic curve for F. Thus, in a typical method 2800, the second communicator obtains the public key yA associated with the first communicator, where yA is g ^xA and xA is the private key of the first communicator (step 2801). The amount of g is the point on the elliptic curve for the finite field F, where F is the extension field of the odd-number finite field GF (p ^k ) or GF (p ^k ), and p is the odd number. The amount yA includes a plurality of first basis coefficients, the amount of g includes a plurality of second basis coefficients, and the first and second basis coefficients are elements of GF (p).

The second communicator generates a number r (e.g., uses a random number generator or pseudo random number generator, which may be included in the key source 2413), and uses the FFCU 2415 (e.g., a processing unit) to pair (u, v) = (g ^r , f ^-1 (P) * (yA) ^r ), where P denotes a plaintext message in a set of plaintext messages, and * denotes an elliptic-curve point addition or at FxF Indicating component unit multiplication, where r can be generated as described above (step 2803). Function f is a mapping function that maps at least a portion of FxF to a set of plaintext messages, where multiple groups of first data bits representing at least a portion of the plurality of first data basis coefficients of yA are stored in a first register and in parallel Is processed to calculate v. Additional aspects related to the calculation of u and v are described below.

As shown in step 2805, the second communicator sends the (u, v) amounts of the pair to the first communicator, the amount of the pair corresponding to an encrypted version of the plaintext message. As shown in step 2807, the first communicator can decode the received (u, v) amount of the pair, so that by calculating P = f (u ^-xA * v), where u ^-xA * v = v / u ^xA ), recover the plaintext message P, where “/” denotes the inverse of the operation * (step 2707). The operation “/” is further described in detail below. As described above in connection with the key exchange, the amount of u ^xA can be calculated by the first FFCU 2411 by applying the exponential function of equation 32, using single-guard-bit notation or multi-guard-bit notation. . Assume that only the first communicator, who knows xA, can decrypt this message. By performing the adaptation of ElGamal public key cryptography described above to an elliptic curve for F, using single-guard-bit notation or multi-guard-bit notation, the present invention provides increased computational efficiency compared to conventional methods. This will appear as either increased speed or increased security for the same computational effort as compared to the prior art.

Additional aspects related to the calculation of the u and v amounts of the pair by the first communicator and the recovery of the plaintext message P from the u and v amounts of the pair by the first communicator are described. In terms of notation, as already mentioned in connection with equation 49, the exponents associated with (yA) ^τ , g ^τ, etc., now represent r-fold (or xA-fold) elliptic-curve point additions. Therefore, calculating the amount of u is entirely similar to the method described with respect to FIG. 27, where u becomes an elliptic-curve point from now on.

For v, two cases that can be considered for the operation * and the mapping function f are described. In either case, the second communicator needs to calculate a value of the form f ⁻¹ (P) * (yA) ^τ , where (yA) ^τ is the point on the elliptic curve, i.e. (x, y) at FxF. Is a pair of coordinates, and x represents a Cartesian product, ie an element pair from F Therefore, f- ¹ needs to generate a value that can be composed of two-dimensional values. In the first case where f can be chosen to ensure that f ⁻¹ is a point on an elliptic curve, * may simply be an ordinary elliptic-curve point addition operation. For the first communicator in this case, the “/” operation is point subtraction (the inverse of addition, well known in the art). For the first case, f mapping can be performed in several ways, an example of which is as follows. Assume that the plaintext message space consists of a binary string of length less than lk log ₂ (p), where l, k, and p are the values that define field F. Note that this can be assumed without compromising generality, because long messages can be cut into smaller blocks that meet this length limit, and each block can be processed separately. As the basis coefficient set of field F, P can be interpreted in a natural way. P does not uniquely determine the element associated with this set of basis coefficients because some bits remain unspecified. (The actual position of the unspecified bit can be matched in advance or after communication in the communication period.) A random value R can be assigned to the unspecified bit, and a value of x = x (P, R) can be obtained from F. have. This x value is obtained as the right side of the equation (48). As is well known in the art, the probability that there is a left y-value that satisfies the equivalence of equation 48 is 1/2, and if present, finding a matching y-value can be performed by known methods. If no matching y value exists, the process is repeated for a new random R or the like. The probability that the process will fail repeatedly for a large number of successive attempts is small. The method describes how f ⁻¹ can be calculated by the second communicator. By simply discarding the y-axis of the elliptic curve point and by discarding the bit-position corresponding to the randomly selected R-bit, the first communicator calculates f.

The above procedure merely serves as an example of how to embed a message as an elliptic curve point, and other methods of defining f are possible. For this method, it can generally be a bit complicated to ensure that the mapping always produces a point on an elliptic curve that satisfies equation 48. This concludes the discussion regarding the first typical case for the selection of the mapping function f and the operation “*” associated with steps 2803 and 2807.

In the second typical case for the selection of the mapping function f and the operation “*”, it is not necessary to carry out the calculations in steps 2803 and 2807 to generate points on the elliptic curve. Thus, the method including the second case may be of further interest. One typical method for the second case is described. In the second case, f is selected to be a mapping that maps at least a portion of the arbitrary value in FxF to the plaintext space. That is, it generates some arbitrary (x, y) coordinate pairs that do not need to satisfy 48. This is done so that only decryption is almost always guaranteed (hence field F generally needs to be at least as large as the square root of the plane text space size). Finding such f is easy and well known in the art. For example, by interpreting P as a set of base coefficients, encoded in a binary string, f can necessarily be an identity mapping. In the second case, the combinatorial operation * may be defined as coordinate-wise multiplication in F, ie (a, b) * (x, y) = (ax, by). For the second communicator (the receiver in this typical description), the operation "/" is correspondingly defined as division of coordinate units in F (inverse operation of "*"). Methods of using coordinate-unit multiplication and division rather than elliptic curve operations are known in the literature as Menezes-Vanstone methods and can be applied to the present invention as described above.

In both of the above mentioned methods relating to the two cases for the selection of the mapping function f, parallel processing multiple groups of data bits representing the basis coefficients are generated as described above.

The above three methods according to the present invention with reference to FIGS. 27 and 28 (Fellow ElGamal, Modified for El, plaintext in E, elliptic curves for F, ElGAmal, F without incorporating plaintext in E In all of the modified ElGamal for the elliptic curve E for, the function (f) is used to assign at least a portion of the one-dimensional vector space (i.e., F) or two-dimensional vector space (i.e., FxF) It can be seen that the mapping.

In another exemplary embodiment, at least a portion of the three-dimensional vector space for F is mapped to a plaintext message set, instead of mapping at least a portion of the two-dimensional vector space for F (ie, FxF) to a plaintext message set. The method 2800 can be modified to select a mapping function f. In this aspect, projection coordinates in three-dimensional vector space are used in conjunction with the elliptic curve method. Another aspect of the method is the same as described in FIG. 28 for the typical method 2800. Since projection coordinates are well known in the art, discussion of modifying the method 2800 in accordance with this aspect is no longer necessary.

In another aspect of the invention, encryption, decryption and / or authentication may be performed using a security key selected by one of the communicators, and via a secure channel, such as secure channel 2421 shown in FIG. 24A. Can be exchanged. For example, one of the first communicator or the second communicator may generate a security key using the first key source 2409 or the second key source 2413. Such security keys may be exchanged over a secure channel 2412 (e.g., using a courier). Encryption and decryption can be performed using the FFCUs 2411 and 2415 shown in FIG. 24A. In this regard, the encryption algorithm mentioned in 24B can be any appropriate encryption algorithm that can be executed according to the method 2450, so that the encrypted information can be transmitted over the insecure channel 2417. As another example, information may be encrypted using any conventional encryption algorithm, and the encryption algorithm referred to in FIG. 24B may be based on security keys exchanged over a secure channel 2412 and the method 2450. It may be any suitable authentication algorithm, which may be executed according to. Implementing an appropriate authentication algorithm in accordance with the method 2450 is within the scope of those skilled in the art, in light of the teachings herein.

In another aspect of the present invention, ElGamal public key cryptography can be modified using the method of the present invention for a finite field F, where F is digital signatures using an encryption system 2400 shown in FIG. 24A. Is an extended field of finite field GF (p ^k ) or GF (p ^k ), where p is an odd number. For example, this variation based on the underlying DSA (Digital Sign Algorithm) is described. Other variations also exist.

Once again, defined for the F group, g quantity (e.g., a point on the elliptic curve for F element or F), and a mapping function (f) is, GF (p ^k) in accordance with the present invention in FIG. 26 As described in connection with a typical realization of an ElGamal public key for, it is matched by first and second communicators. Further, the first communicator generates the above-mentioned private key xA and public key yA. In order to sign a message P (e.g., plaintext or integer encoded ciphertext), the first communicator proceeds as follows. The first communicator uses a random number generator or pseudo random number generator, which may be coupled to key source 2409, for example, to generate a number r (eg, a random or pseudo randomly generated integer), Compute a = g ^r using first FFCU 2411 by applying exponential function 32 in conjunction with either -guard-bit notation or multi-guard-bit notation. The number r is not intended to be shared with other communicators, and may be considered as a password in this regard. The first communicator calculates the solution to

50

Where * is the normal multiplication to find the amount of b that satisfies equation 50. Assume that only the first communicator, known as xA, can do this. The signature for message P is defined by pairs (a, b).

Since the first communicator can sign the plaintext message P using the first FFCU 2411 by applying one of the ciphering methods described above, the first communicator generates a signature (a, b) and generates a sign via the unsafe channel 2417. Send P and pair (a, b) to the two communicators.

To prove that the pair (a, b) indicates a valid sign for P of the first communicator, the second communicator calculates the following u and v quantities.

(51)

(52)

Where b ^-1 is the multiplication inverse of b and * denotes multiplication (normal multiplication). storing multiple groups of first data bits representing coefficients of yA in a first register, multiple groups of second data bits representing coefficients of g notation in a second register, and storing multiple groups of first data bits By applying the exponential function 32 in conjunction with the method of the present invention, which processes the groups in parallel and processes the multiple groups of second data bits in parallel, the second communicator uses a second FFCU 2415 to g. compute ^u (yA) ^v The second communicator accepts the sign as valid only if g ^u (yA) ^v = a. Therefore, the calculation method including the field GF (p ^k ) according to the present invention can be applied to a digital sign, and the calculation is much faster than the conventional method including the GF (p ^k ), or forged signs with the same calculation effort. (forged signature) can be implemented to provide significantly higher security.

Using an elliptic curve for F in accordance with the present invention is a possible setting for digital sine. In the case of an elliptic curve, the difference that needs to be considered in comparison with the above realization of the digital signature is entirely similar to the difference in the realization of public key cryptography, where g is an element of the finite field F (FIG. 27), g is the point on the elliptic curve for F (FIG. 28). Thus no further discussion is needed for using an elliptic curve associated with a digital sign in accordance with the present invention.

In another aspect of the invention, a pseudo random number generator may be provided that performs the calculation in field GF (p ^t ) using the calculation method described above (p is odd). Pseudo random number generators deterministically extend short random seeds into long randomly appearing strings. Many conventional structures are known in the art, and such structures can be based, for example, on finite field or elliptic curves. The calculation method of the present invention described above can apply such a structure.

For example, F = GF (p ⁿ ) is called a finite field defined as an extension field of GF (p ^t ) for a certain t = n / w. Where w is an integer. The field element of F that creates a sufficiently large subgroup of the multiplication group of F is called g. Further, the function as described above in connection with the application of the present invention to ElGamal public key cryptography is called f. Finally, trace-mapping, which is well known in the art, is called Tr, which maps the elements of F to the elements of GF (p ^t ) according to the following equation. For any x in F,

(53)

Finally, the function I (x) is defined as I (x) = g ^x .

If a random seed s (binary encoded integer) is input, the constructor is defined as follows. Let x ₀ = I (s) and x _{i + 1} = I (f (x _i )) for i = 0, 1, 2, ..., T. The smaller the T, the higher the security. However, in principle, the T can be very large, for example, comparable to the square root of the field size. In addition, the output of the pseudo random number generator is defined as a connection of Tr (x ₀ ), Tr (x ₁ ), Tr (x ₂ ), ... This method provides an output consisting of pseudo random elements of GF (p ^t ). If a binary string is required as an output, an appropriate transform function can be applied to the output. Under the assumption that discrete log problems in the group are difficult to process (ie, computationally impossible), the pseudo random number generator described above is safe. As noted above, the pseudo random number generator utilizes various operations in GF (p ^t ), including addition, subtraction, multiplication and exponent, and is based on single-guard-bit notation or multi-guard-bit notation. As described above, the method of the present invention can be used to efficiently execute essential calculations.

The embodiments described herein are for illustrative purposes only and should not be considered limiting in any way. The scope of the invention is given by the appended claims rather than the foregoing, and all modifications and equivalents falling within the scope of the claims are intended to be construed as included herein.

This application discloses a US patent application “Efficient arithmetic in finite fields of odd characteristic on binary hardware”, serial number 10 / 271,730 (Attorney Docket No. 040000-793), and US patent application “Error correction using finite fields of odd characteristic on binary. hardware, serial number No. 10 / 271,945 (Attorney Docket No. 040001-178), both of which are filed on the same page, the disclosures of which are incorporated herein by reference in their entirety.

Claims (53)

In the encryption device, Key source; And A hole-number finite-field encryption unit for coupling with the key source, The odd-number finite-field encryption unit Stores binary data representing at least a portion of the field elements of the odd-number finite field GF (p ^k ) in a register, p is an odd number, the field elements containing k coefficients according to polynomial-based notation, and binary The data comprises multiple groups of data bits, each group of data bits representing an associated one of the k coefficients,     Encrypting binary data according to an encryption algorithm such that multiple groups of data bits are processed in parallel. In claim 1, And the binary data stored in the register indicates all k coefficients of the field elements. In claim 1, The encryption algorithm is one of a key-exchange algorithm and a public key encryption algorithm. In claim 1, Multiple groups of data bits are stored in a register such that at least one guard bit is located adjacent to the most significant bit of each group of data bits, each group of data bits being contiguous to the data bits by at least one guard bit corresponding thereto. Encryption device, characterized in that separated from the group. In claim 4, And an initial value of zero is assigned to each of the at least one guard bit. In claim 4, And a guard bit is located adjacent to the most significant bit of each group of data bits. In claim 4, And multiple guard bits are located adjacent to the most significant bit of each group of data bits. In the encryption method, Storing binary data representing at least a portion of the field elements of the odd-number finite field GF (p ^k ) in a register, where p is an odd number, the field element comprising a k coefficient according to polynomial-based notation; Binary data comprises multiple groups of data bits, where each group of data bits represents an associated one of the k coefficients; And Processing binary data in accordance with an encryption algorithm such that a plurality of groups of data bits are processed in parallel. In claim 8, And the binary data stored in the register indicates all k coefficients of the field elements. In claim 8, The encryption algorithm is one of a key-exchange algorithm and a public key encryption algorithm. In claim 8, Storing a plurality of groups of data bits in a register such that at least one guard bit is located adjacent to the most significant bit of each group of data bits, each group of data bits being defined by the corresponding at least one guard bit. An encryption method, characterized in that it is separated from an adjacent group of data bits. In claim 11, Assigning an initial value of zero to each of the at least one guard bit. In claim 11, And a guard bit is located adjacent to the most significant bit of each group of data bits. In claim 11, And multiple guard bits are located adjacent to the most significant bit of each group of data bits. In the encryption device, Memory; And A processing unit coupled with the memory, The processing unit     Generate number xA, Generate and send yA, where yA = g ^xA , g is an element of F or a point on an elliptic curve for F, F is an extended field of hole-number finite field GF (p ^k ) or GF (p ^k ) , p is an odd number, where g includes a plurality of first basis coefficients, and the first basis coefficient is an element of GF (p), where first data representing at least a portion of the plurality of first basis coefficients of g Store multiple groups of bits in a first register and process them in parallel to produce yA, receives yB, where yB = g ^xB , where yB comprises a plurality of second basis coefficients, the second basis coefficients are elements of GF (p), store multiple groups of second data bits indicative of at least some of the plurality of second basis coefficients of yB in a second register, To process K = (yB) ^xA by processing multiple groups of second data bits in parallel, And the processing unit generates a security key. The method of claim 15, And the number xA is an integer generated randomly or pseudo-randomly. The method of claim 15, Multiple groups of first data bits are stored in a first register such that the at least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is associated with at least one of the corresponding at least one first guard bits. And a first guard bit separated from an adjacent group of first data bits. The method of claim 17, And an initial value of zero is assigned to each of the at least one first guard bit. The method of claim 15, and g and yB are elements of F. The method of claim 15, and g and yB are points on an elliptic curve for F. In the key exchange method,     Generating number xA; generating and transmitting yA, where yA = g ^xA , g is an element of F or a point on an elliptic curve for F, and F is an odd-field finite field GF (p ^k ) or an extended field of GF (p ^k ) And p is an odd number, where g includes a plurality of first basis coefficients, and the first basis coefficient is an element of GF (p), where a first indicating at least a portion of the plurality of first basis coefficients of g Storing multiple groups of data bits in a first register and processing in parallel to produce yA; receiving yB, where yB = g ^xB , wherein yB comprises a plurality of second basis coefficients, the second basis coefficients being an element of GF (p); storing multiple groups of second data bits indicative of at least some of the plurality of second basis coefficients of yB in a second register; And Processing multiple groups of second data bits in parallel to calculate K = (yB) ^xA , Key exchange method, characterized in that for generating a security key. The method of claim 21, And the number xA is a randomly or pseudorandomly generated integer. The method of claim 21, Multiple groups of first data bits are stored in a first register such that the at least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is associated with at least one of the corresponding at least one first guard bits. And a first guard bit separated from an adjacent group of first data bits. The method of claim 23, And an initial value of zero is assigned to each of the at least one first guard bit. The method of claim 21, g and yB are elements of F; The method of claim 21, g and yB are points on an elliptic curve for F. In a computer-readable carrier adapted to program a computer to execute a plurality of steps, the plurality of steps     Generating number xA; generating and transmitting yA, where yA = g ^xA , g is an element of F or a point on an elliptic curve for F, and F is an odd-field finite field GF (p ^k ) or an extended field of GF (p ^k ) And p is an odd number, where g includes a plurality of first basis coefficients, and the first basis coefficient is an element of GF (p), where a first indicating at least a portion of the plurality of first basis coefficients of g Storing multiple groups of data bits in a first register and processing in parallel; receiving yB, where yB = g ^xB , wherein yB comprises a plurality of second basis coefficients, the second basis coefficients being an element of GF (p); storing multiple groups of second data bits indicative of at least some of the plurality of second basis coefficients of yB in a second register; And Processing multiple groups of second data bits in parallel to calculate K = (yB) ^xA , Computer-readable carrier, characterized in generating a security key. The method of claim 27, And the number xA is a randomly or pseudorandomly generated integer. The method of claim 27, Multiple groups of first data bits are stored in a first register such that the at least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is associated with at least one of the corresponding at least one first guard bits. And a first guard bit separated from an adjacent group of first data bits. The method of claim 29, And each of the at least one first guard bit is assigned an initial value of zero. The method of claim 27, g and yB are elements of F, computer-readable carrier. The method of claim 27, g and yB are points on an elliptic curve for F. In the encryption device, Memory; And A processing unit coupled to the memory, The processing unit Find the public key yA associated with the first communicator, where yA = g ^xA , where xA is the private key of the first communicator, g is an element of finite field F or is a point on an elliptic curve for F, and F is a hole- Is a finite field GF (p ^k ) or an extended field of GF (p ^k ), p is an odd number, where yA includes a plurality of first basis coefficients, and g includes a plurality of second basis coefficients , The first and second basis coefficients are elements of GF (p), Generate the number r and u = g ^r and Calculate the amount of (u, v) of the pair in v = f ^-1 (P) * (yA) ^r , where P denotes a plaintext message in a set of plaintext messages, and f is at least in vector space for F A mapping function that maps a portion to a set of plaintext messages, where * denotes a binary operation in the vector space, where multiple groups of first data bits representing at least a portion of the plurality of first basis coefficients of yA Stored in 1 register and processed in parallel to calculate v,     Send the (u, v) amounts of the pair to the first communicator, where the amount of the pair corresponds to an encrypted version of the plaintext message, And an encryption device. The method of claim 33, And the number r is an integer generated randomly or pseudo-randomly. The method of claim 33, Multiple groups of first data bits are stored in a first register such that the at least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is associated with at least one of the corresponding at least one first guard bits. And a first guard bit separated from an adjacent group of first data bits. 36. The method of claim 35 wherein And an initial value of zero is assigned to each of the at least one first guard bit. The method of claim 33, g, u, v are elements of F, * denotes multiplication in F, and f maps at least a portion of F to a plaintext message set. The method of claim 33, g, u, v are points on an elliptic curve for F, * denotes an elliptic-curve point addition or component-unit multiplication at FxF, and f maps at least a portion of FxF to a set of plaintext messages Encryption device. The method of claim 33, and multiple groups of second data bits representing at least a portion of g's plurality of second basis coefficients are stored in a second register and processed in parallel to calculate u. In the public key encryption method, Obtaining a public key yA associated with the first communicator, where yA = g ^xA , where xA is the private key of the first communicator, g is an element of finite field F or is a point on an elliptic curve for F, and F is a hole A finite field GF (p ^k ) or an extended field of GF (p ^k ), p is an odd number, where yA includes a plurality of first basis coefficients, and g includes a plurality of second basis coefficients And the first and second basis coefficients are elements of GF (p); Generate the number r and u = g ^r and Computing the amount of (u, v) of a pair at v = f ^-1 (P) * (yA) ^r , where P denotes a plaintext message in a set of plaintext messages, and f denotes a vector space for F Is a mapping function that maps at least a portion to a set of plaintext messages, where * denotes a binary operation in the vector space, where multiple groups of first data bits representing at least a portion of the plurality of first basis coefficients of yA Stored in the first register and processed in parallel to calculate v; And Sending the (u, v) amounts of the pair to the first communicator, where the amount of the pair corresponds to an encrypted version of the plaintext message; Encryption method comprising a. 41. The method of claim 40 wherein And the number r is an integer generated randomly or pseudo-randomly. 41. The method of claim 40 wherein Multiple groups of first data bits are stored in a first register such that the at least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is associated with at least one of the corresponding at least bits. And a first guard bit separated from an adjacent group of first data bits. The method of claim 42, And an initial value of zero is assigned to each of the at least one first guard bit. 41. The method of claim 40 wherein g, u, v are elements of F, * denotes multiplication in F, and f maps at least a portion of F to a plaintext message set. 41. The method of claim 40 wherein g, u, v are points on an elliptic curve for F, * denotes an elliptic-curve point addition or component-unit multiplication at FxF, and f maps at least a portion of FxF to a set of plaintext messages Encryption method. 41. The method of claim 40 wherein and multiple groups of second data bits representing at least a portion of g's plurality of second basis coefficients are stored in a second register and processed in parallel to calculate u. In a computer-readable carrier adapted to program a computer to execute a plurality of steps, the plurality of steps Obtaining a public key yA associated with the first communicator, where yA = g ^xA , where xA is the private key of the first communicator, g is an element of finite field F or is a point on an elliptic curve for F, and F is a hole A finite field GF (p ^k ) or an extended field of GF (p ^k ), p is an odd number, where yA includes a plurality of first basis coefficients, and g includes a plurality of second basis coefficients And the first and second basis coefficients are elements of GF (p); Generate the number r and u = g ^r and Computing the amount of (u, v) of a pair at v = f ^-1 (P) * (yA) ^r , where P denotes a plaintext message in a set of plaintext messages, and f denotes a vector space for F Is a mapping function that maps at least a portion to a set of plaintext messages, where * denotes a binary operation in the vector space, where multiple groups of first data bits representing at least a portion of the plurality of first basis coefficients of yA Stored in the first register and processed in parallel to calculate v; And Sending the (u, v) amounts of the pair to the first communicator, where the amount of the pair corresponds to an encrypted version of the plaintext message; Computer-readable carrier comprising a. The method of claim 47, And the number r is a randomly or pseudorandomly generated integer. 48. The computer readable medium of claim 47, wherein the computer-readable carrier is adapted to program a computer, Multiple groups of first data bits are stored in a first register such that the at least one first guard bit is located adjacent to the most significant bit of each group of first data bits, and each group of first data bits is associated with at least one of the corresponding at least bits. And separate from the contiguous group of first data bits by one first guard bit. The computer-readable carrier of claim 49, wherein the computer-readable carrier is adapted to program a computer, And assign an initial value of zero to each of the at least one first guard bit. The method of claim 47, g, u, v are elements of F, * denotes multiplication in F, and f maps at least a portion of F to a plaintext message set. The method of claim 47, g, u, v are points on an elliptic curve for F, * denotes an elliptic-curve point addition or component-unit multiplication at FxF, and f maps at least a portion of FxF to a set of plaintext messages Computer-readable carrier. The method of claim 47, and a multiple group of second data bits representing at least a portion of g's multiple second basis coefficients are stored in a second register and processed in parallel to calculate u.